Many-to-one NAT on L2L VPN (ASA 5505)

Unanswered Question
Jun 4th, 2012

I am trying to confgure a L2L VPN tunnel to a service provider using an ASA 5505.

My problem is that the service provider will not accept traffic from a LAN subnet, they will only accept traffice from a public IP.

We have a small public subnet of x.x.x.50/255.255.255.248, our public IP (outside interface IP on the ASA 5505) is x.x.x.50 and the service provider wants to see traffic coming from us on x.x.x.51

How can I NAT our LAN subnet (10.0.0.0/24) to one public IP (x.x.x.51)?

Im new to Cisco firewalls so essentially I need a complete config

All help is highly appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Julio Carvaja Mon, 06/04/2012 - 15:27

Hello Cato,

For that NAT you need the following:

192.168.12.0/24 Is the ISP network

10.0.0.0 /24 is the Inside local network

access-list test permit ip 10.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (inside) 10 access-list test

global (outside) 10 x.x.x.51

On the encryption VPN traffic (Crypto ACL)

the encrypted traffic will be from:

     access-list VPn permit ip host x.x.x.51 192.168.12.0 255.255.255.0

Regards,

Julio

Rate all the helpful posts

NPBergen08 Mon, 06/04/2012 - 15:54

Thank you for your answer, I did the suggested configuration but the tunnel will still not connect.

Regarding the L2L VPN setup, should the local network be x.x.x.51 or the local LAN subnet (10.0.0.0/24)?

Best regards,

Cato

Julio Carvaja Mon, 06/04/2012 - 16:00

Hello Cato,

The local subnet will be 10.0.0.0/24 but for the ISP will look like x.x.x,51

Please post entire config for assistance,.

Regards,

NPBergen08 Mon, 06/04/2012 - 16:16

Thats how it is configured. Im trying to find traces of VPN connection attempts in the log but cant find any?

Best regards,

Cato

Julio Carvaja Mon, 06/04/2012 - 16:20

It could be a problem on the ISP side.

Again please post the configuration for assistance.

Rate all the helpful posts

NPBergen08 Mon, 06/04/2012 - 23:29

Hello,

Here is the running config:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password ########## encrypted

passwd ######### encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name 195.160.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 1 x.x.x.51 netmask 255.0.0.0

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_1

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-filter value VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b4cb57a31f3c3ee66438e30af7686439

: end

Best regards,

Cato

Julio Carvaja Tue, 06/05/2012 - 05:07

Hello Cato,

Here is what I want you to change as its not properly setup:

nat (inside) 10 access-list VPN

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

no access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

no access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host  x.x.x.51FirstDataLAN 255.255.255.0

Regards,

Julio

NPBergen08 Tue, 06/05/2012 - 09:21

Hello,

I (think) I managed to make the suggested changes but the tunnel still wont establish connection.

I did a show crypto isakmp and got this output:

There are no isakmp sas

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 1

In Octets: 2880

In Packets: 10

In Drop Packets: 0

In Notifys: 0

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 3968

Out Packets: 25

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 7

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 7

Initiator Tunnels: 1

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

This is the policy requirements from the service provider:

Isakmp policy:

Encryption algorithm:                    AES256

Hash algorithm:                               SHA

Authentication method:                    Pre-Shared Key

Diffie-Hellman group:                     #5 (1536 bit)

Lifetime:                                        1440 min

Aggressive mode:                              None

Ipsec policy:

Encryption algorithm:                    AES256

Hash algorithm:                               SHA

Security association lifetime:          3600 seconds

Perfect forward secrecy:                    Group 2

As far as I can tell the tunnel should be configured according to these requirements?

This is the currently running config:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password ####### encrypted

passwd ###### encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name x.x.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 84.49.73.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 1 x.x.x.51 netmask 255.0.0.0

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_2

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-filter value inside_cryptomap_1

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:403e2d4f17c5304ff1d9bd8252cb1886

: end

Best regards,

Cato

Julio Carvaja Tue, 06/05/2012 - 09:29

Hello Cato,

You are missing the global command for the NAT

global (outside) 10  x.x.x.51

Regards,

Julio

NPBergen08 Tue, 06/05/2012 - 09:40

Hello,

I tried that but got this response:

"global for this range already exists"

Best regards,

Cato

NPBergen08 Tue, 06/05/2012 - 10:00

Hello,

Thank you, that made me able to make the config change but unfortunately the tunnel is still dead

Best regards,

Cato

Julio Carvaja Tue, 06/05/2012 - 10:05

The configuration looks fine,

Please check the ciphers you are using for phase one and phase 2 with the ISP so you can ensure they match.

Regards,

NPBergen08 Tue, 06/05/2012 - 10:35

OK I will do that, and thank you for all your help, its highly appreciated.

Could I be so bold to ask if you could have a last look at the current config? I just want to be sure that I havent made a mistake with the last changes. What I did notice is that x.x.x.51 now seems to be x.x.x.48, which is our public network address?

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name x.x.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0 inactive

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 10 x.x.x.51

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_2

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:03694ab933eb8d601d677fcf0afe7e8f

: end

Best regards,

Cato

Actions

Login or Register to take actions

This Discussion

Posted June 4, 2012 at 3:01 PM
Stats:
Replies:14 Avg. Rating:
Views:1459 Votes:0
Shares:0
Tags: vpn, nat, l2l, l2l_vpn
+

Related Content

Discussions Leaderboard