- Cisco Community
- Technology and Support
- Security
- VPN
- VPN allows only traffic on one side to reach inside interface of remote end
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN allows only traffic on one side to reach inside interface of remote end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 05:33 AM
I have an ASA5505 that has multiple tunnels of different sorts used for testing. I have recently set up a tunnel to a remote location that has on the other end a 1721 router. My location has a 877 ADSL router with the ASA5505 behind it. Since my IP address changes often due to poor DSL service. What I do is set up on the ASA5505 a static to dynamic (remote end). This has worked very well going to a PIX506 and another 1721 here used for testing.
This recent 1721 I set up has an issue where I can pass traffic to the 1721 only to its inside interface IP. From the 1721 I can ping the whole network behind the ASA. Here is the relevant config for the 1721:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key XXXXXX address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set peer XXX.XXX.XXX dynamic
set transform-set IPSEC
match address 120
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface FastEthernet0
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.240
crypto map SDM_CMAP_1
ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp
ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240
ip nat inside source route-map NONAT interface Ethernet0 overload
access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 deny ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.15 any
route-map NONAT permit 10
match ip address 130
And for the ASA:
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.240
access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup
crypto map OUTSIDE_MAP 2 match address 1721_KS
crypto map OUTSIDE_MAP 2 set peer 7x.xx.xxx.xx
crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 2 set nat-t-disable
On the remote end is a device at 10.10.10.3 that I can not ping, yet when I SSH to the 1721 I can ping it, so I now it is powered on. ICMP debug on the 1721 shows echo-reply from 192.168.2.1 to 10.10.10.1, but not 10.10.10.3.
I am thinking that there must be some really minor detail I must have missed somewhere.
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 05:43 AM
what is the default gateway of 10.10.10.3? is it the router inside interface (10.10.10.1)?
Also, does the remote host happen to have a firewall enabled that might be blocking ping from different subnet?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 06:13 AM
I should have added, the 1721 has the ethernet 0 (outside inteface) configured via DHCP. 10.10.10.1 is the IP of the inside interface which is the default gateway for that network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 06:17 AM
Any other IP address within the 10.10.10.0 subnet that you can try to ping except the 10.10.10.3 host?
From the 1721, if you source your ping from the outside interface and try to ping 10.10.10.3, does that work?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 06:59 AM
I can also ping 10.10.10.2 from the 1721, but not from the remote end.
I tried ping with source of the outside interface and this was not successful.
At 10.10.10.2 there is a web service that I can access externally by doing a static NAT, but not via the VPN. I can ping across all other tunnels so it is not an issue of ICMP being disabled, just this one tunnel.
edit: Closest I ever came to a problem such as this the issue was the other end device had the wrong gateway configured. I have verified just to be sure and no changes have been made so the 1721's 10.10.10.1 is the default gateway for this network.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 07:07 AM
Can you please share the full config from both end.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 09:08 AM
The 1721:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 1721-K9
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 ########
!
no aaa new-model
!
resource policy
!
clock timezone Chicago -6
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.5
!
ip dhcp pool DHCP
network 10.10.10.0 255.255.255.240
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip domain name ########
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ssh version 2
!
!
!
crypto pki trustpoint TP-self-signed-823528158
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-823528158
revocation-check none
rsakeypair TP-self-signed-823528158
!
!
crypto pki certificate chain TP-self-signed-823528158
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38323335 32383135 38301E17 0D313130 31303331 34353133
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3832 33353238
31353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B292D9F1 ED00569A 63DF0012 05045FFF C18EECAD 35904FD7 8A682C6C A1F60224
8DE240EE 4CFE8ECA 0B88CA7D CABB7FDF 58D6547B 586B0E3E 48B730E8 A27CB5A2
5505930F 2998AA04 FA939C1A DCDC3E37 5AA59AF6 03B4BD07 E730FA04 AF67D641
F5B7A6FF CC3BEF27 0B48BCC2 A9E344A5 E04A9687 149D2479 906EB088 BA526407
02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D
11041C30 1A821831 3732312D 4B392E73 626E2D73 65727669 6365732E 636F6D30
1F060355 1D230418 30168014 35F97A35 A42D69A2 538E43FA F344CC13 B66A3402
301D0603 551D0E04 16041435 F97A35A4 2D69A253 8E43FAF3 44CC13B6 6A340230
0D06092A 864886F7 0D010104 05000381 81007C8F 74E02033 54EF03BB 643F5DB0
D3D5C808 D94438E2 B400D30A D04AE016 331A80C0 8CBFCC70 C53B2E94 B0C6B8A2
7845D0EE B0E999AD FD5C4D64 D973A3F9 185C2121 CF6987BD 0DCD687F E209EA7A
2A9555F4 9714DF3E 272D5ECB 919CC817 5FFB17B3 EC6167DD C5F15538 9881CE34
8D6BB1D1 4527C43F 28D642C5 41B7D2EF BF2F
quit
username ######## privilege 15 password 7 ########
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ######## address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set IPSEC
match address 120
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
description $FW_OUTSIDE$
ip address dhcp
ip access-group 100 in
ip nat outside
ip virtual-reassembly
half-duplex
crypto map SDM_CMAP_1
!
interface FastEthernet0
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.240
ip nat inside
ip virtual-reassembly
speed auto
!
ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp
!
!
ip http server
ip http secure-server
ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240
ip nat inside source static tcp 10.10.10.2 81 interface Ethernet0 81
ip nat inside source static tcp 10.10.10.2 3389 interface Ethernet0 3389
ip nat inside source route-map NONAT interface Ethernet0 overload
!
access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 deny ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.15 any
snmp-server community public RO
!
!
route-map NONAT permit 10
match ip address 130
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input ssh
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 02:41 PM
The reason why you can't access 10.10.10.2 is because you have static PAT configured and that unfortunately take precedence over your NONAT configuration on router.
The only solution to resolve this issue is to add Ethernet0 ip address to the crypto ACL as you will only be able to access it via its public IP, not private IP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 11:41 PM
Your refering to these two statements?
ip nat inside source static tcp 10.10.10.2 81 interface Ethernet0 81
ip nat inside source static tcp 10.10.10.2 3389 interface Ethernet0 3389
First, why would these two interfere with say communication with other endpoints (say 10.10.10.3)? More importantly if I remove these two so my config would look like this now:
ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240
ip nat inside source route-map NONAT interface Ethernet0 overload
access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 deny ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.15 any
route-map NONAT permit 10
match ip address 130
Still does not work. Yet another 1721 that is doing static to static with the ASA does work:
ip nat pool 101 192.168.1.1 192.168.1.30 netmask 255.255.255.224
ip nat inside source route-map NONAT interface FastEthernet0 overload
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
route-map NONAT permit 10
match ip address 130
The difference between these two is that one (working) has static IP whereas the other non-working is via DHCP, so thus the
Non working 1721:
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set IPSEC
match address 120
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
Working 1721:
crypto map CRYPTO_IPSEC 11 ipsec-isakmp
set peer 192.168.0.3
set transform-set IPSEC
match address 120
So I would almost have to think that part of the problem has to do with this 1721 being dynamic. This ASA already has an existing working tunnel out to a PIX506 that is dynamic (ASA5505) to static (PIX506). On the ASA side the configs are the same between this working PIX506 and the non-working 1721.
I previously did try to set a static on the 1721 and used the set peer dynamic:
crypto map CRYPTO_IPSEC 11 ipsec-isakmp
set peer HOSTNAME dynamic
set transform-set IPSEC
match address 120
I removed the two static NAT entries forwarding to 10.10.10.2, but still can not access anything but the inside interface of the 1721 (even though I have verified two of the devices are responding internally).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 11:55 PM
Can you please clear the SA - clear cry sa, and try to ping across to 10.10.10.2 and 10.10.10.3, and please share the output of "show cry ipsec sa" from both ASA and 1721.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2012 03:29 AM
ASA5505#show cry ipsec sa
Crypto map tag: OUTSIDE_MAP, seq num: 2, local addr: 192.168.0.3
access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)
current_peer: 75.8x.xxx.xxx
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.3/0, remote crypto endpt.: 75.8x.xxx.xxx/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: A76FA66F
current inbound spi : A6CFB28F
inbound esp sas:
spi: 0xA6CFB28F (2798629519)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 471040, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3484)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xA76FA66F (2809112175)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 471040, crypto-map: OUTSIDE_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3483)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
1721-K9#show cry ipsec sa
interface: Ethernet0
Crypto map tag: CRYPTO_IPSEC, local addr 75.8x.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)
current_peer (none) port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 84.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 75.8x.xxx.xxx, remote crypto endpt.: 84.xx.xx.xx
path mtu 1500, ip mtu 1500
current outbound spi: 0xA6CFB28F(2798629519)
inbound esp sas:
spi: 0xA76FA66F(2809112175)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 75, flow_id: C1700_EM:75, crypto map: CRYPTO_IPSEC
sa timing: remaining key lifetime (k/sec): (4590216/3376)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA6CFB28F(2798629519)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 76, flow_id: C1700_EM:76, crypto map: CRYPTO_IPSEC
sa timing: remaining key lifetime (k/sec): (4590218/3375)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
1721-K9#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-31-2012 04:29 AM
Firstly, if you can't even ping when sourcing from the outside interface, that means it might be something blocking on the host itself, otherwise, pinging from outside interface should work. Can you check if there is any firewall on the host that might be blocking inbound ping?
Secondly, the fact that you can ping from the router is because you have a router interface in the same subnet, and normally that is allowed (pinging from the same subnet).
Lastly, base on the output provided, that means packet comes inbound towards the router, however, there is no reply back. Again, I would check the host and see if there is any firewall, etc that might be blocking it.
BTW, can you ping from the 10.10.10.2 or .3 hosts towards the ASA end?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2012 03:49 AM
I setup another 1721 here, same IOS version. This time I used the config from my other 1721 here and just made step by step changes to adjust to this remote 1721 (yes I have a few of these). Eventually got the tunnel work...somewhat by changing
crypto isakmp key ######## address 0.0.0.0 0.0.0.0 no-xauth
to
crypto isakmp key ######## address 0.0.0.0 0.0.0.0
Reason I had put in no-xauth is simply this is what I needed to do with one of the other existing tunnels to a PIX506 due to my end having a dynamically changing IP (my DSL connection drops a lot, and each time it is a new IP). For the PIX I had to do:
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
Tunnel went up between the ASA and the remote 1721, and stayed that way for a while. I could access now the 2 devices at 10.10.10.2 and 10.10.10.3 via their web management GUI. However ICMP just would not work. Could this be an ACL issue? I don't see why it would since I have here two 1721s with the exact same ACLs and near similar configs, and I can ping devices without issue including the inside interfaces of the routers. Yet this one particlular remote 1721 will not let me ping anything. I can bring the tunnel up by doing a ping, but that is it.
For example this new test 1721 I just configured:
crypto isakmp key ######## address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac
!
crypto map CRYPTO_IPSEC 11 ipsec-isakmp
set peer ASA.#######.net dynamic
set transform-set IPSEC
match address 120
!
ip nat pool NAT 175.20.20.1 175.20.20.15 netmask 255.255.255.240
ip nat inside source route-map NONAT interface Ethernet0 overload
!
access-list 120 permit ip 175.20.20.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 deny ip 175.20.20.0 0.0.0.15 192.168.2.0 0.0.0.255
access-list 130 permit ip 175.20.20.0 0.0.0.15 any
!
route-map NONAT permit 10
match ip address 130
Almost matches the remote 1721 except for the local subnet. This tunnel works, stays up, can ping the inside interface and a device directly connected to it at 175.20.20.2.
And finally to answer question, no there is no internal firewalling etc.. that would be blocking ICMP. The one device at 10.10.10.3 is a very simple and dumb device, the other is configured to allow ICMP and these work at other sites. It is just something unique to this remote 1721/tunnel/config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-01-2012 04:21 AM
is the following NAT pool needed at all in the config?
ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240
I don't see that reference anywhere, and also it overlaps with your internal IP. Just remove it from the configuration as it is not required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-30-2012 09:09 AM
The ASA5505:
: Saved
:
ASA Version 8.4(4)
!
hostname ASA5505
domain-name ########
enable password ######## encrypted
passwd ######## encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.0.3 255.255.255.224
!
interface Vlan12
no nameif
security-level 100
ip address 192.168.3.1 255.255.255.192
!
interface Vlan22
no nameif
security-level 100
ip address 192.168.4.1 255.255.255.192
!
interface Vlan32
no nameif
security-level 100
ip address 192.168.5.1 255.255.255.192
!
interface Vlan42
no nameif
security-level 100
ip address 192.168.6.1 255.255.255.192
!
interface Vlan52
no nameif
security-level 100
ip address 192.168.7.1 255.255.255.192
!
boot system disk0:/asa844-k8.bin
boot system disk0:/asa843-k8.bin
boot system disk0:/asa832-13-k8.bin
boot system disk0:/asa823-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.200
name-server 192.168.2.1
domain-name ########
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-172.31.255.0
subnet 172.31.255.0 255.255.255.224
object network obj-172.100.1.0
subnet 172.100.1.0 255.255.255.224
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.224
object network obj-175.10.10.0
subnet 175.10.10.0 255.255.255.240
object network obj-172.16.10.0
subnet 172.16.10.0 255.255.255.192
object network obj-10.10.8.0
subnet 10.10.8.0 255.255.255.0
object network obj-192.168.2.1
host 192.168.2.1
object network obj-192.168.2.200
host 192.168.2.200
object network obj-192.168.2.2
host 192.168.2.2
object network obj-192.168.2.3
host 192.168.2.3
object network obj-192.168.2.7
host 192.168.2.7
object network obj-192.168.2.5
host 192.168.2.5
object network obj-10.10.10.0
subnet 10.10.10.0 255.255.255.240
object network obj-10.10.20.0
subnet 10.10.20.0 255.255.255.240
object-group network obj_any
object-group service EventLog_Analyzer tcp
port-object eq 8400
object-group service OpManager tcp
port-object eq 8060
object-group icmp-type LAN_ECHO
icmp-object echo
icmp-object echo-reply
object-group icmp-type DM_INLINE_ICMP_1
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
object-group service DM_INLINE_SERVICE_2
service-object icmp
service-object icmp echo
service-object icmp echo-reply
access-list REMOTE_RA extended permit ip any 172.31.255.0 255.255.255.224
access-list REMOTE_RA extended permit ip any 172.100.1.0 255.255.255.224
access-list 101 extended permit ip interface inside any
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.31.255.0 255.255.255.224
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.100.1.0 255.255.255.224
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224
access-list NO_NAT extended permit ip 175.10.10.0 255.255.255.240 192.168.1.0 255.255.255.224
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.16.10.0 255.255.255.192
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 175.10.10.0 255.255.255.240
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240
access-list 1721_Static extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224
access-list 1721_Static extended permit ip 175.10.10.0 255.255.255.240 192.168.1.0 255.255.255.224
access-list 1721_Dynamic extended permit ip 192.168.2.0 255.255.255.0 172.16.10.0 255.255.255.192
access-list 1721_T extended permit ip 192.168.2.0 255.255.255.0 10.10.20.0 255.255.255.240
access-list PIX506_cryptomap extended permit ip 192.168.2.0 255.255.255.0 175.10.10.0 255.255.255.240
access-list PIX506_cryptomap extended permit ip 192.168.1.0 255.255.255.128 175.10.10.0 255.255.255.240
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq www
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq https
access-list ACL_IN extended permit tcp any host 192.168.2.200 eq https
access-list ACL_IN extended permit tcp any host 192.168.2.200 eq www
access-list ACL_IN extended permit tcp any host 192.168.2.200 eq 3389
access-list ACL_IN extended permit udp any host 192.168.2.200 eq domain
access-list ACL_IN extended permit tcp any host 192.168.2.3 eq www
access-list ACL_IN extended permit udp host 192.168.0.1 host 192.168.2.200 eq radius
access-list ACL_IN extended permit udp host 192.168.0.1 host 192.168.2.200 eq radius-acct
access-list ACL_IN extended permit tcp any host 192.168.2.2 eq www
access-list ACL_IN extended permit tcp any host 192.168.2.2 eq https
access-list ACL_IN extended permit udp any host 192.168.2.2 eq syslog
access-list ACL_IN extended permit udp any host 192.168.2.1 eq 1026
access-list ACL_IN extended permit udp any host 192.168.2.1 eq 1027
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 8060
access-list ACL_IN extended permit udp any host 192.168.2.1 eq 9996
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 8400
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 1875
access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 81
access-list ACL_IN extended permit udp any host 192.168.2.7 eq tftp
access-list ACL_IN extended permit tcp any host 192.168.2.5 eq 32400
access-list ACL_IN extended permit udp any host 192.168.2.5 eq 32400
access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240
pager lines 24
logging enable
logging timestamp
logging emblem
logging monitor debugging
logging buffered debugging
logging trap informational
logging asdm informational
logging host inside 192.168.2.1 17/1025 format emblem
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside 192.168.2.1 9996
flow-export delay flow-create 3
mtu inside 1500
mtu outside 1500
ip local pool L2TP 172.31.255.10-172.31.255.15 mask 255.255.255.224
ip local pool VPN 172.100.1.10-172.100.1.20 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-649.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.31.255.0 obj-172.31.255.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.100.1.0 obj-172.100.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-175.10.10.0 obj-175.10.10.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.16.10.0 obj-172.16.10.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-175.10.10.0 obj-175.10.10.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup
nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup
!
object network obj-192.168.2.0
nat (inside,outside) dynamic interface
object network obj-192.168.2.1
nat (inside,outside) static 192.168.0.6
object network obj-192.168.2.200
nat (inside,outside) static 192.168.0.7
object network obj-192.168.2.2
nat (inside,outside) static 192.168.0.8
object network obj-192.168.2.3
nat (inside,outside) static 192.168.0.9
object network obj-192.168.2.7
nat (inside,outside) static 192.168.0.11
object network obj-192.168.2.5
nat (inside,outside) static 192.168.0.12
access-group ACL_IN in interface outside
!
router eigrp 1
network 172.31.255.0 255.255.255.224
network 172.100.1.0 255.255.255.224
network 175.10.10.0 255.255.255.240
network 192.168.0.0 255.255.255.224
network 192.168.2.0 255.255.255.0
network 192.168.3.0 255.255.255.192
network 192.168.4.0 255.255.255.192
network 192.168.5.0 255.255.255.192
network 192.168.6.0 255.255.255.192
network 192.168.7.0 255.255.255.192
!
route outside 0.0.0.0 0.0.0.0 192.168.0.1 1
route outside 192.168.1.0 255.255.255.128 175.12.10.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Internal
aaa-server RADIUS protocol radius
accounting-mode simultaneous
interim-accounting-update
aaa-server RADIUS (inside) host 192.168.2.200
key *****
radius-common-pw *****
acl-netmask-convert auto-detect
aaa-server ######## protocol nt
aaa-server ######## (inside) host 192.168.2.200
nt-auth-domain-controller ########
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http server idle-timeout 60
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 192.168.2.1 community ***** version 2c
snmp-server host inside 192.168.2.7 poll community ***** version 2c
snmp-server location ########
snmp-server contact Administrator
snmp-server community *****
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_AES192_SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_AES192_SHA mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES192_SHA
crypto map OUTSIDE_MAP 1 match address 1721_Static
crypto map OUTSIDE_MAP 1 set peer 175.12.10.2
crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 2 match address 1721_KS
crypto map OUTSIDE_MAP 2 set peer 75.########
crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 3 match address PIX506_cryptomap
crypto map OUTSIDE_MAP 3 set peer 75.########
crypto map OUTSIDE_MAP 3 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_MAP 3 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
crypto map OUTSIDE_MAP 3 set nat-t-disable
crypto map OUTSIDE_MAP 4 match address 1721_T
crypto map OUTSIDE_MAP 4 set peer 10.10.2.7
crypto map OUTSIDE_MAP 4 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_MAP 4 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
crypto map OUTSIDE_MAP 4 set nat-t-disable
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map OUTSIDE_MAP interface inside
crypto map OUTSIDE_MAP interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ASA5505
keypair SSL
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
subject-name CN=ASA5505
keypair SSH
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 26ed064f
308201dd 30820146 a0030201 02020426 ed064f30 0d06092a 864886f7 0d010105
05003033 3110300e 06035504 03130741 53413535 3035311f 301d0609 2a864886
f70d0109 02161041 53413535 30352e52 6f6d652e 6e657430 1e170d31 32303130
36313332 3535355a 170d3232 30313033 31333235 35355a30 33311030 0e060355
04031307 41534135 35303531 1f301d06 092a8648 86f70d01 09021610 41534135
3530352e 526f6d65 2e6e6574 30819f30 0d06092a 864886f7 0d010101 05000381
8d003081 89028181 00ab1325 ad6a055a aefb838c 9ee8fb9d c9308a17 857b3b00
651813dc 58a37c47 2d75cb41 754f6637 42149903 5411b6de ac7064de 682224f4
df2746e5 78ce9494 1da46ccc df61f9b2 472418d8 68d54655 c9b7453f 4b912c43
badf823a 162c78d3 e4f682b4 7c735f87 877361e9 350701b9 7d787af8 67c69ffb
b1e55d02 93f29330 81020301 0001300d 06092a86 4886f70d 01010505 00038181
00311073 21a9cc45 37f53536 f96c082e e2f37bac 3f7c5d51 3094f1f3 361be381
94b3ab1f 438b8be1 c8e74b2f a65de64e fa65f5f9 e69c9be9 120306d5 9bcf499b
27cca1b1 0e2eecbc 13842335 812cf26d a9254877 25480d54 b23a599a c9166517
afa98f45 552236d5 bcbe5aad abc10b96 61505a02 3fb1cc96 cf9c108e 6666d2af
6f
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 57ef2c4f
30820347 3082022f a0030201 02020457 ef2c4f30 0d06092a 864886f7 0d010105
05003033 3110300e 06035504 03130741 53413535 3035311f 301d0609 2a864886
f70d0109 02161041 53413535 30352e52 6f6d652e 6e657430 1e170d31 32303230
37323235 3330325a 170d3232 30323034 32323533 30325a30 33311030 0e060355
04031307 41534135 35303531 1f301d06 092a8648 86f70d01 09021610 41534135
3530352e 526f6d65 2e6e6574 30820122 300d0609 2a864886 f70d0101 01050003
82010f00 3082010a 02820101 00bb4670 76d8c9eb d0ee0564 6ce430e3 608f96d5
cce181ad 1e5d6fb1 4d212c39 6463a625 e935a6b1 e3b49321 098e8df4 e8274ede
3876c33d e0f887c3 78530fcc b83dd5e7 a7b93700 8c5a127f 5d12575b 43cf9e69
0f8017ba 05a80d49 0b70c0ad f321b1cd e586e4af 9c7b6a35 c59d5b62 4e265dbf
fbb7ede7 78ad0a47 25929058 18f87707 517795aa 799789f3 ecc4de41 6a468951
e75d20e9 92798d88 d852ffcf 45f1601b ef6bbf8d 09bd82f4 42e1fe5c c8f7e595
4348b5cf 05f3e9dc f8532211 9b622a0f 47344052 95a2127d 3710ad84 fb102256
f6a4adce f9130182 bd56ba9d 81078477 d0bcc5f6 24153e26 34950af0 ec65a0cd
e219bfdd 5e8cd1e3 1bf5cd3e b3020301 0001a363 3061300f 0603551d 130101ff
04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355 1d230418
30168014 d8d6aa48 c377600f 70db8284 847a4bdb 99ed9f06 301d0603 551d0e04
160414d8 d6aa48c3 77600f70 db828484 7a4bdb99 ed9f0630 0d06092a 864886f7
0d010105 05000382 0101001b 4e2a1854 1e98a785 521f2bde 7dc8bbac 4a4e4625
50bd5cc2 7d5dcf68 3e0b924d a1c28b4e 025eb791 4e12a421 f52f8350 7e9889bd
c8797d00 ec29a508 aa24de74 e9a9b885 7a10cf6c c9e54a95 c8cd6663 6170b142
cc347da8 4f2ca9ac 39a868d4 a15ad9b7 f0c782f6 475f8daa 5a6b1168 7fff4cbd
a0867e0c 038633ed 740787db 1754eea2 b76e1e85 5e8ba93c e91b0aff 83db8260
35d9d4f1 d3512761 7531999c 8e358f72 c84c2074 81986f9a f602bc1b c832730b
3c18ccfa 6ba59fe3 0975e164 b34f0285 22368bce e525f1a3 79813fff e665e408
acf48498 f2735919 2f70e5ed 0def8c87 f301b2e2 fa878a6c 199436de 1432e86d
046a5d2e 6c482744 b81e53
quit
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet 192.168.2.7 255.255.255.255 inside
telnet 192.168.2.1 255.255.255.255 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.1 source inside
ntp server 192.168.2.200 source inside
ntp server 204.15.208.61 source outside prefer
ntp server 72.14.189.114 source outside
ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1
ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 outside
ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable inside
enable outside
internal-password enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.2.200 192.168.2.1
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-network-list value REMOTE_RA
default-domain value Rome.net
address-pools value L2TP
webvpn
url-list value Internal
group-policy DfltGrpPolicy attributes
dns-server value 192.168.2.200
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
address-pools value L2TP
webvpn
url-list value Internal
anyconnect ssl compression deflate
anyconnect modules value dart,vpngina
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy 1721_Dynamic internal
group-policy 1721_Dynamic attributes
vpn-filter value 1721_Dynamic
vpn-tunnel-protocol ikev1 l2tp-ipsec
username ######## password ######## nt-encrypted privilege 5
username ######## attributes
vpn-group-policy DefaultRAGroup
vpn-framed-ip-address 172.31.255.10 255.255.255.224
webvpn
url-list value Internal
username ######## password ######## nt-encrypted privilege 15
username ######## attributes
vpn-group-policy DefaultRAGroup
vpn-framed-ip-address 172.31.255.10 255.255.255.224
webvpn
url-list value Internal
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP
authentication-server-group RADIUS LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool L2TP
authentication-server-group RADIUS
tunnel-group DefaultWEBVPNGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
tunnel-group 175.12.10.2 type ipsec-l2l
tunnel-group 175.12.10.2 general-attributes
default-group-policy GroupPolicy1
tunnel-group 175.12.10.2 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 10.10.2.7 type ipsec-l2l
tunnel-group 10.10.2.7 general-attributes
default-group-policy GroupPolicy2
tunnel-group 10.10.2.7 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 1721_Dyn type remote-access
tunnel-group 1721_Dyn general-attributes
default-group-policy 1721_Dynamic
tunnel-group 1721_Dyn ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
tunnel-group 75.######## type ipsec-l2l
tunnel-group 75.######## general-attributes
default-group-policy GroupPolicy2
tunnel-group 75.######## ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 75.######## type ipsec-l2l
tunnel-group 75.######## general-attributes
default-group-policy GroupPolicy2
tunnel-group 75.######## ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect netbios NETBIOS_MAP
parameters
protocol-violation action log
policy-map type inspect http HTTP_INSPECT
parameters
protocol-violation action log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect http
inspect icmp
inspect icmp error
inspect ils
inspect snmp
class global-class
flow-export event-type all destination 192.168.2.1
!
service-policy global_policy global
smtp-server 192.168.2.1
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command vpn-sessiondb
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7eec8fbede8a196128a9f104fa9e4ea9
: end
asdm image disk0:/asdm-649.bin
asdm location 192.168.2.7 255.255.255.255 inside
asdm location 192.168.1.0 255.255.255.128 inside
no asdm history enable
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide