08-04-2010 09:52 AM - edited 03-11-2019 11:21 AM
Had a new vpn setup last week, or so; since then, other vpn tunnels stopped working (site-to-site vpns) Need help troubleshooting issues; unable to ping across tunner when it was showing active, now all of the tunnels are not showing active.
08-04-2010 10:37 AM
Hello,
Can you please post the corresponding configurations here?
Regards,
NT
08-04-2010 10:45 AM
let me know if you need more than this:
object-group network DM_INLINE_NETWORK_1
network-object host 172.30.1.14
network-object host 172.31.1.15
object-group service SSH-ALT tcp
description SSH-ALT
port-object eq 24
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object CDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object CDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PACS tcp-udp
description PACS
port-object eq 104
object-group network DM_INLINE_NETWORK_4
network-object 172.30.1.0 255.255.255.224
network-object 192.168.0.0 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object 172.30.1.0 255.255.255.224
network-object 192.168.0.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
access-list outside extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.3.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.0.0 255.255.224.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3 inactive
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
access-list TGA-Split_splitTunnelAcl standard permit 172.30.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.3.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.1.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list outside_cryptomap_1 extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list outside_cryptomap extended permit ip host 172.31.1.112 host A-10.3.3.7
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip host 172.31.1.12 host A-10.3.3.7
access-list outside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 CDX 255.255.255.0 host 172.31.1.12
access-list nonat extended permit ip host 172.31.1.12 CDX 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool FPSVPN 172.30.250.1-172.30.250.250 mask 255.255.255.0
ip local pool VPNTEST2 172.31.100.1-172.31.100.12 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.31.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4012 172.31.1.12 4012 netmask 255.255.255.255
static (inside,outside) tcp interface 24 172.31.1.10 24 netmask 255.255.255.255
static (inside,outside) tcp interface 5711 192.168.1.200 5711 netmask 255.255.255.255
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 68.115.200.145 1
route inside 10.0.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.2.0 255.255.255.0 172.30.1.1 1
route inside 172.30.4.0 255.255.255.0 172.30.1.1 1
route inside 172.30.41.0 255.255.255.0 172.30.1.1 1
route inside 172.30.42.0 255.255.255.0 172.30.1.1 1
route inside 172.31.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.100.0 255.255.255.0 172.30.1.1 1
route inside 0.0.0.0 0.0.0.0 CDX tunneled
08-04-2010 11:52 AM
please paste the crypto map config
but i think i know the issue
you probably made different crypto map fo rthe new tunnel and applied it on the interface
so on one interface you can have only 1 crypto map but you can have different entries for that
this gives me a feeling you might have more than 1 crypto map
outside_1_cryptomap
outside_cryptomap_1
outside_3_cryptomap
outside_cryptomap
08-04-2010 11:58 AM
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set BasicESP3d esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set peer BlueRidge
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 set peer 68.115.234.130
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set peer 68.191.0.66
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer CDX
crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set peer BlueRidge
crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
08-04-2010 02:51 PM
why i do not see any match statements in crypto map for 1,2,3 & 4 ? did you removed any configuration for one posted below ?
From the posted configuration only tunnel with Blue Ridge should be working given you have mirror ACL to indentify interesting traffic on both sides.
thanks
Manish
08-04-2010 03:50 PM
I don't know, it's all jacked up. We are seeing other odd behaviour, like configuration changes disappearing after we save them and go back into what was just configured. After posting this, I found out the air condition went out where the equipment is located, and we are suspecting the equipment overheated, as we are seeing some issues with other equipment as well. We are looking into the coverage on this firewall now, and considering alternative solutions. I'm not very experienced on Cisco yet. Can you give me an example of all we should need to have configured for a single tunnel to work, where multiple tunnels exist to access the same internal LAN(s)?
Thanks!
08-04-2010 11:23 PM
what you have is perfectly fine expect one thing which manish mentioned
crypto map outside_map 1 set peer BlueRidge
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 set peer 68.115.234.130
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set peer 68.191.0.66
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer CDX
crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set peer BlueRidge
crypto map outside_map 5 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
the above is wht you have
see this part
crypto map outside_map 5 match address outside_cryptomap_1
crypto map outside_map 5 set peer BlueRidge
you have a match address, which is missing in rest of them. so it will always fall on dynamic crypto map which needs the traffic to be inited from the other end
all you have to do is hunt for those statemenst and put them
match address
this is the format
this access-list will have source from your network and destination as remotes vpn network
08-05-2010 05:13 AM
okay, we will try adding those this a.m.; other question though, why were we unable to ping across the VPN's when they were showing as
"up" previously, or we cannot ping to the "Blueridge" even though it appears to be correct, right? Also, do you know where we can run the SN# to see if smartnet is on the box?
THANKS!
08-05-2010 05:38 AM
there could be many reason why the tunnel shows up and traffic doesnt pass
we need to check with command "sh crypto ips sa" to confirm that the phase 2 is up
if it shows up in "show cry isa sa" it means only phase 1 is up
08-05-2010 08:14 AM
the results for sh cry isa sa = "there are no isakmp sas"
the results for sh crypto ips sa = "There are no ipsec sas"
Added the "crypto map outside_map 3 match address ..." statements for 1, 2, 3, and 4; still have no tunnels coming up. Thanks!
08-05-2010 08:41 AM
if you are ok with withclearing all the tunnels
if so the remove the crypto map from interafce
clear cry isa sa
clear cry ips sa
and then apply the crypto map again
08-05-2010 09:07 AM
I figured it may help if you have the overview of the config; I went through and changed all the public addresses we use, for confidentiality purposes. Here is the current:
Result of the command: "sh run"
: Saved
:
ASA Version 8.2(1)
!
hostname **********
domain-name site.local
enable password ********** encrypted
passwd ************ encrypted
names
name 172.30.1.14 BlueRidgeServer description Blue Ridge XRAY
name 162.114.68.115 BlueRidge
name 172.30.1.16 Nuclear_Test description Nuclear_testing
name 200.146.68.115 Public description Public
name 200.144.68.115 Outside
name 187.232.66.83 UNG description UNG
name 151.130.68.115 CardCons. description Cardiology Consultants
name 10.3.3.0 CelligentCDX description Celligent CDX
name 97.98.66.49 CDX description CDX
name 10.3.3.7 A-10.3.3.7 description Celligent
!
interface Vlan1
nameif inside
security-level 100
ip address 172.30.1.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address Public 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 172.31.1.10
domain-name fps.local
object-group network DM_INLINE_NETWORK_1
network-object host BlueRidgeServer
**** network-object host 172.31.1.15
object-group service SSH-ALT tcp
description SSH-ALT
port-object eq 24
object-group network FTP_Access
description FTP Access
network-object UNG 255.255.255.248
network-object host CardCons.
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
network-object CelligentCDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group network DM_INLINE_NETWORK_3
network-object CelligentCDX 255.255.255.0
network-object 172.31.1.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service PACS tcp-udp
description PACS
port-object eq 104
access-list outside extended permit icmp any any
access-list outside extended permit tcp any interface outside eq 3389
access-list outside extended permit tcp any interface outside eq 4012
access-list outside extended permit tcp object-group FTP_Access interface outside object-group SSH-ALT
access-list outside extended permit tcp any interface outside eq 5711
access-list outside remark SSH-ALT
access-list outside remark Pharmacy
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.0.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.3.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.2.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.0.0 255.255.224.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.31.1.0 255.255.255.0 172.30.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list inside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3
access-list inside_nat0_outbound extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.1.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.0.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.3.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.2.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.31.4.0 255.255.255.0
access-list TGA-Split_splitTunnelAcl standard permit 172.30.4.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 host 10.1.1.243
access-list outside_3_cryptomap extended permit ip 172.30.4.0 255.255.255.128 host 192.168.12.166
access-list outside_cryptomap extended permit ip host 172.31.1.12 host A-10.3.3.7
access-list outside_cryptomap extended permit ip 172.30.1.0 255.255.255.224 192.168.0.0 255.255.255.0
access-list outside_nat0_outbound extended permit object-group DM_INLINE_PROTOCOL_2 CelligentCDX 255.255.255.0 172.31.1.0 255.255.255.0
access-list nonat extended permit ip 172.31.1.0 255.255.255.0 CelligentCDX 255.255.255.0
access-list outside_cryptomap_1 extended permit ip host BlueRidgeServer 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool FPSVPN 172.30.250.1-172.30.250.250 mask 255.255.255.0
ip local pool VPNTEST2 172.31.100.1-172.31.100.12 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 172.31.1.10 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 4012 172.31.1.12 4012 netmask 255.255.255.255
static (inside,outside) tcp interface 24 172.31.1.10 24 netmask 255.255.255.255
static (inside,outside) tcp interface 5711 192.168.1.200 5711 netmask 255.255.255.255
route outside 0.0.0.0 0.0.0.0 68.115.200.145 1
route inside 10.0.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.0.0 255.255.255.0 172.30.1.1 1
route inside 172.30.2.0 255.255.255.0 172.30.1.1 1
route inside 172.30.4.0 255.255.255.0 172.30.1.1 1
route inside 172.30.41.0 255.255.255.0 172.30.1.1 1
route inside 172.30.42.0 255.255.255.0 172.30.1.1 1
route inside 172.31.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.1.0 255.255.255.0 172.30.1.1 1
route inside 192.168.100.0 255.255.255.0 172.30.1.1 1
route inside 0.0.0.0 0.0.0.0 CDX tunneled
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set BasicESP3d esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer BlueRidge
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 234.130.68.115
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 110.66.68.191
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 4 match address outside_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer CDX
crypto map outside_map 4 set transform-set BasicESP3d ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 172.30.0.0 255.255.0.0 inside
telnet timeout 5
ssh 110.64.68.191 255.255.255.224 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 192.5.41.40 source inside
ntp server 172.31.1.10 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy TGA-Split internal
group-policy TGA-Split attributes
dns-server value ****
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TGA-Split_splitTunnelAcl
group-policy FPSVPN internal
group-policy FPSVPN attributes
dns-server value **********
vpn-tunnel-protocol IPSec
group-policy remotetest internal
group-policy remotetest attributes
dns-server value **********
vpn-tunnel-protocol IPSec
group-policy Physician-Portal internal
group-policy Physician-Portal attributes
vpn-simultaneous-logins 10
vpn-tunnel-protocol svc webvpn
webvpn
url-list value Physician-Portal
customization value Physician-Portal
hidden-shares visible
file-entry enable
file-browsing enable
url-entry enable
group-policy CDX internal
group-policy CDX attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group FPSVPN type remote-access
tunnel-group FPSVPN general-attributes
address-pool FPSVPN
default-group-policy FPSVPN
tunnel-group FPSVPN ipsec-attributes
pre-shared-key *
tunnel-group TGA-Split type remote-access
tunnel-group TGA-Split general-attributes
address-pool FPSVPN
default-group-policy TGA-Split
tunnel-group TGA-Split ipsec-attributes
pre-shared-key *
tunnel-group remotetest type remote-access
tunnel-group remotetest general-attributes
address-pool VPNTEST2
default-group-policy remotetest
tunnel-group remotetest ipsec-attributes
pre-shared-key *
tunnel-group 162.114.68.115 type ipsec-l2l
tunnel-group 162.114.68.115 ipsec-attributes
pre-shared-key *
tunnel-group 234.130.68.115 type ipsec-l2l
tunnel-group 234.130.68.115 ipsec-attributes
pre-shared-key *
tunnel-group Physician-Portal type remote-access
tunnel-group Physician-Portal general-attributes
address-pool FPSVPN
default-group-policy Physician-Portal
tunnel-group Physician-Portal webvpn-attributes
customization Physician-Portal
nbns-server 172.31.1.10 timeout 2 retry 2
group-alias Physician-Portal enable
tunnel-group 97.98.66.49 type ipsec-l2l
tunnel-group 97.98.66.49 general-attributes
default-group-policy CDX
tunnel-group 97.98.66.49 ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:************
: end
08-05-2010 12:19 PM
I ran these, "clear cry isa sa" / "clear cry ips sa" also, and the "crypto map" statements are still in the config. (in "sh run")
08-05-2010 05:19 PM
Hello,
Can you configure "management-access inside" on the firewall and then try to ping the inside interface from a remote location?
Regards,
NT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: