cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2959
Views
0
Helpful
14
Replies

Many-to-one NAT on L2L VPN (ASA 5505)

NPBergen08
Level 1
Level 1

I am trying to confgure a L2L VPN tunnel to a service provider using an ASA 5505.

My problem is that the service provider will not accept traffic from a LAN subnet, they will only accept traffice from a public IP.

We have a small public subnet of x.x.x.50/255.255.255.248, our public IP (outside interface IP on the ASA 5505) is x.x.x.50 and the service provider wants to see traffic coming from us on x.x.x.51

How can I NAT our LAN subnet (10.0.0.0/24) to one public IP (x.x.x.51)?

Im new to Cisco firewalls so essentially I need a complete config

All help is highly appreciated

14 Replies 14

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Cato,

For that NAT you need the following:

192.168.12.0/24 Is the ISP network

10.0.0.0 /24 is the Inside local network

access-list test permit ip 10.0.0.0 255.255.255.0 192.168.12.0 255.255.255.0

nat (inside) 10 access-list test

global (outside) 10 x.x.x.51

On the encryption VPN traffic (Crypto ACL)

the encrypted traffic will be from:

     access-list VPn permit ip host x.x.x.51 192.168.12.0 255.255.255.0

Regards,

Julio

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you for your answer, I did the suggested configuration but the tunnel will still not connect.

Regarding the L2L VPN setup, should the local network be x.x.x.51 or the local LAN subnet (10.0.0.0/24)?

Best regards,

Cato

Hello Cato,

The local subnet will be 10.0.0.0/24 but for the ISP will look like x.x.x,51

Please post entire config for assistance,.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thats how it is configured. Im trying to find traces of VPN connection attempts in the log but cant find any?

Best regards,

Cato

It could be a problem on the ISP side.

Again please post the configuration for assistance.

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Here is the running config:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password ########## encrypted

passwd ######### encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name 195.160.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 1 x.x.x.51 netmask 255.0.0.0

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_1

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-filter value VPN

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:b4cb57a31f3c3ee66438e30af7686439

: end

Best regards,

Cato

Hello Cato,

Here is what I want you to change as its not properly setup:

nat (inside) 10 access-list VPN

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

no access-list VPN extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

no access-list inside_cryptomap_1 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host  x.x.x.51FirstDataLAN 255.255.255.0

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I (think) I managed to make the suggested changes but the tunnel still wont establish connection.

I did a show crypto isakmp and got this output:

There are no isakmp sas

Global IKE Statistics

Active Tunnels: 0

Previous Tunnels: 1

In Octets: 2880

In Packets: 10

In Drop Packets: 0

In Notifys: 0

In P2 Exchanges: 0

In P2 Exchange Invalids: 0

In P2 Exchange Rejects: 0

In P2 Sa Delete Requests: 0

Out Octets: 3968

Out Packets: 25

Out Drop Packets: 0

Out Notifys: 0

Out P2 Exchanges: 7

Out P2 Exchange Invalids: 0

Out P2 Exchange Rejects: 0

Out P2 Sa Delete Requests: 7

Initiator Tunnels: 1

Initiator Fails: 0

Responder Fails: 0

System Capacity Fails: 0

Auth Fails: 0

Decrypt Fails: 0

Hash Valid Fails: 0

No Sa Fails: 0

Global IPSec over TCP Statistics

--------------------------------

Embryonic connections: 0

Active connections: 0

Previous connections: 0

Inbound packets: 0

Inbound dropped packets: 0

Outbound packets: 0

Outbound dropped packets: 0

RST packets: 0

Recevied ACK heart-beat packets: 0

Bad headers: 0

Bad trailers: 0

Timer failures: 0

Checksum errors: 0

Internal errors: 0

This is the policy requirements from the service provider:

Isakmp policy:

Encryption algorithm:                    AES256

Hash algorithm:                               SHA

Authentication method:                    Pre-Shared Key

Diffie-Hellman group:                     #5 (1536 bit)

Lifetime:                                        1440 min

Aggressive mode:                              None

Ipsec policy:

Encryption algorithm:                    AES256

Hash algorithm:                               SHA

Security association lifetime:          3600 seconds

Perfect forward secrecy:                    Group 2

As far as I can tell the tunnel should be configured according to these requirements?

This is the currently running config:

ASA Version 8.2(5)

!

hostname ciscoasa

enable password ####### encrypted

passwd ###### encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name x.x.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 84.49.73.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip 84.49.73.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 1 x.x.x.51 netmask 255.0.0.0

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_2

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-filter value inside_cryptomap_1

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:403e2d4f17c5304ff1d9bd8252cb1886

: end

Best regards,

Cato

Hello Cato,

You are missing the global command for the NAT

global (outside) 10  x.x.x.51

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

I tried that but got this response:

"global for this range already exists"

Best regards,

Cato

Hello,

no global (outside) 1 x.x.x.51

global (outside) 10 x.x.x.51

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hello,

Thank you, that made me able to make the config change but unfortunately the tunnel is still dead

Best regards,

Cato

The configuration looks fine,

Please check the ciphers you are using for phase one and phase 2 with the ISP so you can ensure they match.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

OK I will do that, and thank you for all your help, its highly appreciated.

Could I be so bold to ask if you could have a last look at the current config? I just want to be sure that I havent made a mistake with the last changes. What I did notice is that x.x.x.51 now seems to be x.x.x.48, which is our public network address?

ASA Version 8.2(5)

!

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name x.x.170.0 FirstDataLAN

name 85.252.49.19 FastWEB

name 10.0.0.1 GW

name 10.0.0.97 PC_Espen

name x.x.x.50 ASA-peer

name x.x.171.161 FDL-VPN-peer

name x.x.170.79 FDl_service-ip

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address GW 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address ASA-peer 255.255.255.248

!

ftp mode passive

clock timezone CEST 1

clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group service MS_SQL

service-object tcp eq 1433

service-object tcp eq sqlnet

object-group network FDL_VPN

network-object 10.0.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host FDL-VPN-peer host ASA-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip host ASA-peer host FDL-VPN-peer log

access-list outside_access_in remark test

access-list outside_access_in extended permit ip FirstDataLAN 255.255.255.0 x.x.x.48 255.255.255.248 log

access-list outside_access_in extended permit object-group MS_SQL host FastWEB host 10.0.0.102

access-list outside_access_in extended permit object-group MS_SQL host FastWEB interface outside

access-list VPN extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0

access-list inside_cryptomap_1 extended permit ip host x.x.x.51 FirstDataLAN 255.255.255.0

access-list inside_access_in extended permit ip any any log

access-list inside_access_in extended permit tcp any any

access-list inside_access_in remark test

access-list inside_access_in extended permit ip x.x.x.48 255.255.255.248 FirstDataLAN 255.255.255.0 log

access-list inside_cryptomap_2 extended permit ip 10.0.0.0 255.255.255.0 FirstDataLAN 255.255.255.0 inactive

pager lines 24

logging enable

logging console informational

logging trap informational

logging asdm informational

logging facility 16

logging host inside PC_Espen

mtu inside 1500

mtu outside 1300

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 3 interface

global (outside) 2 interface

global (outside) 10 x.x.x.51

nat (inside) 10 access-list VPN

nat (inside) 2 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface 1433 10.0.0.102 1433 netmask 255.255.255.255

static (outside,inside) tcp 10.0.0.102 1433 FastWEB 1433 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 x.x.x.49 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 10.0.0.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set FDL esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map inside_map 1 match address inside_cryptomap_2

crypto map inside_map 1 set pfs

crypto map inside_map 1 set peer FDL-VPN-peer

crypto map inside_map 1 set transform-set FDL

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

telnet 10.0.0.0 255.255.255.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.0.0.50-10.0.0.200 inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DfltGrpPolicy attributes

vpn-idle-timeout none

vpn-tunnel-protocol l2tp-ipsec webvpn

group-policy FDL internal

group-policy FDL attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec

username user1 password nIsrUp5YwmRLVu/4 encrypted privilege 15

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 15 retry 2

tunnel-group x.x.171.161 type ipsec-l2l

tunnel-group x.x.171.161 general-attributes

default-group-policy FDL

tunnel-group x.x.171.161 ipsec-attributes

pre-shared-key *****

isakmp keepalive threshold 15 retry 10

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:03694ab933eb8d601d677fcf0afe7e8f

: end

Best regards,

Cato

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: