Hi Anisha,
#sh run cry
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set eds
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address site6
crypto map outside_map 100 set peer 66.66.66.66
crypto map outside_map 100 set transform-set site66
crypto map outside_map 100 set security-association lifetime seconds 3600
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 120 match address ACL1
crypto map outside_map 120 set peer 33.33.33.33
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set security-association lifetime seconds 3600
crypto map outside_map 120 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
# sh cry isa sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 44.44.44.44
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 55.55.55.55
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
edsgfs-asa-CRA# sh cry ips sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 22.22.22.22
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.128
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.86/255.255.255.255/0/0)
current_peer: 55.55.55.55, username: user2
dynamic allocated peer ip: 192.168.10.86
#pkts encaps: 25527, #pkts encrypt: 25527, #pkts digest: 25527
#pkts decaps: 22664, #pkts decrypt: 22664, #pkts verify: 22664
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 25527, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22/4500, remote crypto endpt.: 55.55.55.55/50305
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 644C6CEF
inbound esp sas:
spi: 0x0CBFA635 (213886517)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4575232, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 5975
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x644C6CEF (1682730223)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4575232, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 5975
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 100, local addr: 22.22.22.22
access-list failteacl permit ip 192.168.121.0 255.255.255.0 10.128.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.121.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
current_peer: 66.66.66.66
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 198237, #pkts decrypt: 198237, #pkts verify: 198237
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22, remote crypto endpt.: 66.66.66.66
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 327989F7
inbound esp sas:
spi: 0x3D1AFCAA (1025178794)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 901120, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2654
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x327989F7 (846825975)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 901120, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2654
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nodmznat
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (remsite) 0 access-list noremsitenat
nat (remsite) 1 0.0.0.0 0.0.0.0
# sh access-list ACL1
access-list ACL1; 2 elements
access-list ACL1 line 1 extended permit ip 192.168.121.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0) 0xdae8954a
access-list ACL1 line 2 extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=102) 0x04c45a75
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 extended permit ip any 192.168.10.0 255.255.255.128 (hitcnt=24267) 0x06ba586e
Regards,
Joana
