site to site between ASA 5510 (8.4(2)) w/ static IP and Dlink DIR130 w/ dynamic IP.

Answered Question
Jul 18th, 2012
User Badges:

I'm trying to set up a site to site VPN link between the ASA5510 that we use exclusively as a VPN endpoint on campus and a D-Link DIR130 VPN Router off campus, at a local business with a dynamically assigned IP.  We currently use the ASA for remote access users who use the Cisco VPN client on mobile devices, as well as for a single site to site link to our telecom provider for the purposes of monitoring telecom equipment remotely.


We are looking for a way to cheaply deploy secure VPN connections to local businesses to allow them to use point of sale devices which connect back to systems on campus, so students can use their meal cards at local restaurants, similarly to how they use them at the on-campus cafeteria.


I have experience configuring Cisco switches, APs and routers, but this ASA device absolutely baffles me.  I've futzed around with the ASDM 6.4 gui config and tried to match up configurations between the DIR130 and the ASA, but I can never get a VPN connection to come up.  Anyone who can point me to an example, or provide me with help on this would be appreciated.  I've google searched and found very little that, with my limited experience in ASA configuration, I can apply to my scenario.

Correct Answer by Jennifer Halim about 5 years 1 month ago

You got it, spot on!!

Correct Answer by Jennifer Halim about 5 years 1 month ago

Excellent...


Yes, just check the output of "show cry ipsec sa peer ", and if you see the encrypts and decrypts counters increasing, you are all good.

Correct Answer by Jennifer Halim about 5 years 1 month ago

You would need to configure static route on the 6509 for 192.168.5.0/24 towards the ASA inside interface:


ip route 192.168.5.0 255.255.255.0 131.162.160.2


Assuming that 131.162.160.1 is your 6509

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Wed, 07/18/2012 - 08:25
User Badges:
  • Cisco Employee,

Please share your current configuration on the ASA, and also your requirement (IKE policy, IPSec policy, local and remote subnets).

sean.a.murphy Wed, 07/18/2012 - 08:32
User Badges:

Begin ASA Config


: Saved

: Written by ASAADMIN at 08:49:15.576 ADT Tue May 8 2012

!

ASA Version 8.4(2)

!

hostname ciscoasa

domain-name acadiau.ca

enable password * encrypted

passwd * encrypted

names

name 131.162.0.0 acadia description acadia's network

!

interface Ethernet0/0

description Outside interface

nameif outside

security-level 0

ip address 131.162.6.3 255.255.255.0

!

interface Ethernet0/1

description Inside Interface

nameif inside

security-level 100

ip address 131.162.160.2 255.255.248.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone AST -4

clock summer-time ADT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 131.162.200.67

domain-name acadiau.ca

object network obj-131.162.64.0

subnet 131.162.64.0 255.255.255.0

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network obj-10.187.0.0

subnet 10.187.18.0 255.255.255.0

object network pbx_allowed

host 24.215.86.154

object network Bell_Aliant_207.179.141.0

subnet 207.179.141.0 255.255.255.128

object network obj-10.187.18.1

host 10.187.18.1

object network obj-10.187.18.2

host 10.187.18.2

object network obj-10.187.18.3

host 10.187.18.3

object network obj-10.187.18.4

host 10.187.18.4

object network obj-131.162.10.249

host 131.162.10.249

object network obj-131.162.9.2

host 131.162.9.2

object network obj-131.162.9.3

host 131.162.9.3

object network obj-131.162.11.30

host 131.162.11.30

object network obj-10.187.18.200

host 10.187.18.200

object network obj-10.187.18.254

host 10.187.18.254

object network obj-131.162.9.200

host 131.162.9.200

object network obj-131.162.9.254

host 131.162.9.254

object network obj-131.162.9.249

host 131.162.9.249

object network obj-10.187.18.249

host 10.187.18.249

access-list acadia-standard_splitTunnelAcl standard permit 131.162.0.0 255.255.0.0

access-list inside_nat0_outbound extended permit ip any 131.162.64.0 255.255.255.0

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit udp any any eq netbios-dgm

access-list inside_access_in extended permit udp any any eq netbios-ns

access-list outside_access_in extended permit udp any any eq netbios-dgm

access-list outside_access_in extended permit udp any any eq netbios-ns

access-list outside_access_in extended permit udp host 142.166.74.148 any eq isakmp

access-list outside_access_in extended permit esp host 142.166.74.148 any

access-list outside_access_in extended permit udp host 142.166.74.148 any eq 4500

access-list test extended permit ip host 131.162.137.86 host 131.162.160.2

access-list test extended permit ip host 131.162.160.2 host 131.162.137.86

access-list splittunnel remark Acadia network

access-list splittunnel standard permit 131.162.0.0 255.255.0.0

access-list outside_cryptomap extended permit ip object obj-10.187.0.0 object Bell_Aliant_207.179.141.0

access-list outside_cryptomap_1 extended permit ip object obj-10.187.0.0 object Bell_Aliant_207.179.141.0

access-list ipsec-conn extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list nonat extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list ipsec-con extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list VPN_NAT extended permit ip 131.162.9.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list VPN_NAT extended permit ip 131.162.10.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list VPN_NAT extended permit ip 131.162.11.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list outside_1_cryptomap extended permit ip 10.187.18.0 255.255.255.0 207.179.141.0 255.255.255.128

access-list OUTSIDE extended permit udp host 142.166.74.148 any eq isakmp

access-list OUTSIDE extended permit udp host 142.166.74.148 any eq 4500

access-list OUTSIDE extended permit esp host 142.166.74.148 any

pager lines 24

logging enable

logging timestamp

logging monitor debugging

logging buffered informational

logging trap notifications

logging history informational

logging asdm informational

logging facility 22

logging host inside 131.162.137.234

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool PBX-Pool 10.200.0.0-10.200.0.100 mask 255.255.255.0

ip local pool Acadia-Pool 131.162.64.10-131.162.64.100 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-645-106.bin

asdm history enable

arp timeout 14400

nat (inside,outside) source static obj-131.162.10.249 obj-10.187.18.1 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

nat (inside,outside) source static obj-131.162.9.2 obj-10.187.18.2 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

nat (inside,outside) source static obj-131.162.9.3 obj-10.187.18.3 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

nat (inside,outside) source static obj-131.162.11.30 obj-10.187.18.4 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

nat (inside,any) source static any any destination static obj-131.162.64.0 obj-131.162.64.0

nat (inside,any) source static any any destination static obj-10.187.0.0 obj-10.187.0.0

nat (inside,outside) source static obj-131.162.9.200 obj-10.187.18.200 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

nat (inside,outside) source static obj-131.162.9.249 obj-10.187.18.249 destination static Bell_Aliant_207.179.141.0 Bell_Aliant_207.179.141.0

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-10.187.0.0

nat (inside,outside) static 131.162.11.30

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 131.162.6.2 1

route inside acadia 255.255.0.0 131.162.160.1 1

route inside 0.0.0.0 0.0.0.0 131.162.160.1 tunneled

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server Acadia-AD protocol radius

aaa-server Acadia-AD (inside) host 131.162.200.67

key *****

radius-common-pw *

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http acadia 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 142.166.74.148

crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map ALIANT 1 match address outside_1_cryptomap

crypto map ALIANT 1 set peer 142.166.74.148

crypto map ALIANT 1 set ikev1 transform-set ESP-3DES-MD5

crypto map ALIANT 1 set nat-t-disable

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn ciscoasa

subject-name CN=131.162.6.3

keypair ASDM_TrustPoint0

no client-types

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn ciscoasa

subject-name CN=ciscoasa

crl configure

crypto ca trustpoint vpn.asa.trustpoint

enrollment terminal

fqdn acadia-vpn.acadiau.ca

subject-name CN=acadia-vpn.acadiau.ca,OU=Technology Services,O=Acadia University,C=CA,St=Nova Scotia,L=Wolfville

keypair vpn.asa

crl configure

crypto ca trustpoint acadia-vpn-09

enrollment terminal

fqdn acadia-vpn.acadiau.ca

subject-name CN=acadia-vpn.acadiau.ca,OU=Technology services,O=Acadia University,C=CA,St=Nova Scotia,L=Wolfville

keypair acadia-vpn-09

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint3

crl configure

crypto ca trustpoint ASDM_TrustPoint4

keypair ASDM_TrustPoint4

crl configure

crypto ca trustpoint ASDM_TrustPoint5

keypair ASDM_TrustPoint5

no client-types

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 31

    308201d2 3082013b a0030201 02020131 300d0609 2a864886 f70d0101 04050030

    2f311430 12060355 0403130b 3133312e 3136322e 362e3331 17301506 092a8648

    86f70d01 09021608 63697363 6f617361 301e170d 30333031 30313030 31383234

    5a170d31 32313232 39303031 3832345a 302f3114 30120603 55040313 0b313331

    2e313632 2e362e33 31173015 06092a86 4886f70d 01090216 08636973 636f6173

    6130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100c6a0

    22ba9438 adbe45f1 32db4a68 9ce4f057 2b990e41 4f7d031c c4458eee 00da694f

    65f6ab10 0debf870 baa5eddd 2b739abd 22a3fe30 c32b97bb e90eabee 404fa176

    823a999d 4f3077c9 a5bb7fbb b7aaedb6 a1fadc3b 9feed581 dcb5dbdb 1435be31

    f66cfd66 698a23e4 2f75a69c ef636b6e 055b9ae6 4a4f2972 752179c8 5a3d0203

    01000130 0d06092a 864886f7 0d010104 05000381 81009598 049be3ad a67a2801

    35d14ce6 530a91b0 7f2122ce d521c5a0 1d8d0a87 556c2169 de1405ee b5ed027b

    e74b9b77 718c77d6 8c1a242a baf12365 c957d89f ab8d5524 ae548aa0 d69392b2

    4de41764 2f033a8b dccce028 542c2de9 4afff20c 124a2353 f83f6dd8 0fe636e7

    0309bc82 6618631b 31ed3fea 0b74726d 9f359776 d4ee

  quit

crypto ca certificate chain vpn.asa.trustpoint

certificate 42207a6930db37d59f671e154f0b4ebb

    3082038d 308202f6 a0030201 02021042 207a6930 db37d59f 671e154f 0b4ebb30

    0d06092a 864886f7 0d010105 05003081 ce310b30 09060355 04061302 5a413115

    30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309

    43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375

    6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e

    20536572 76696365 73204469 76697369 6f6e3121 301f0603 55040313 18546861

    77746520 5072656d 69756d20 53657276 65722043 41312830 2606092a 864886f7

    0d010901 16197072 656d6975 6d2d7365 72766572 40746861 7774652e 636f6d30

    1e170d30 38313032 31313134 3834365a 170d3039 31303231 31313438 34365a30

    8191310b 30090603 55040613 02434131 14301206 03550408 130b4e6f 76612053

    636f7469 61311230 10060355 04071309 576f6c66 76696c6c 65311a30 18060355

    040a1311 41636164 69612055 6e697665 72736974 79311c30 1a060355 040b1313

    54656368 6e6f6c6f 67792053 65727669 63657331 1e301c06 03550403 13156163

    61646961 2d76706e 2e616361 64696175 2e636130 819f300d 06092a86 4886f70d

    01010105 0003818d 00308189 02818100 b5da2b6f 0fedca03 99993b8e 8c852d02

    e46d8b1b 58400868 31dced5d 1cbd8938 cc050c73 6bc57952 6f517fcf 8a660261

    0b03e7a5 1f033c24 8791fce5 05933054 d9ec344a e81753ad d253c247 920ffe9a

    aac9149e 5899210e ef82b17b 0753e869 83731d29 507f94b6 70e4deff dd5d3b1c

    0c0682d1 fb8c0036 8bc7450d b091a565 02030100 01a381a6 3081a330 1d060355

    1d250416 30140608 2b060105 05070301 06082b06 01050507 03023040 0603551d

    1f043930 373035a0 33a03186 2f687474 703a2f2f 63726c2e 74686177 74652e63

    6f6d2f54 68617774 65507265 6d69756d 53657276 65724341 2e63726c 30320608

    2b060105 05070101 04263024 30220608 2b060105 05073001 86166874 74703a2f

    2f6f6373 702e7468 61777465 2e636f6d 300c0603 551d1301 01ff0402 3000300d

    06092a86 4886f70d 01010505 00038181 004cf6fc 5621c6f3 db994705 950a56d5

    761df1f9 b4f125df 9a8cb530 d1429ea0 f2ffaefa 99ddb611 fc853755 e3a6cbb3

    1f46be43 df9f1466 af0f28e5 ffb6e5bf 1f01fa4a 2736bdaa 6cf382a1 a34e8460

    2eea2c98 eec883a1 c12ed948 f6de741b 57ea464a fe0ca4da 817d5016 ea7c70eb

    7b11ec27 b823d8d0 206d33c0 9ebf6993 38

  quit

crypto ca certificate chain acadia-vpn-09

certificate 38b105d2948ffa5322d45c4294cc353c

    3082038d 308202f6 a0030201 02021038 b105d294 8ffa5322 d45c4294 cc353c30

    0d06092a 864886f7 0d010105 05003081 ce310b30 09060355 04061302 5a413115

    30130603 55040813 0c576573 7465726e 20436170 65311230 10060355 04071309

    43617065 20546f77 6e311d30 1b060355 040a1314 54686177 74652043 6f6e7375

    6c74696e 67206363 31283026 06035504 0b131f43 65727469 66696361 74696f6e

    20536572 76696365 73204469 76697369 6f6e3121 301f0603 55040313 18546861

    77746520 5072656d 69756d20 53657276 65722043 41312830 2606092a 864886f7

    0d010901 16197072 656d6975 6d2d7365 72766572 40746861 7774652e 636f6d30

    1e170d30 39313030 37313731 3134345a 170d3130 31303231 31313438 34365a30

    8191310b 30090603 55040613 02434131 14301206 03550408 130b4e6f 76612053

    636f7469 61311230 10060355 04071309 576f6c66 76696c6c 65311a30 18060355

    040a1311 41636164 69612055 6e697665 72736974 79311c30 1a060355 040b1313

    54656368 6e6f6c6f 67792073 65727669 63657331 1e301c06 03550403 13156163

    61646961 2d76706e 2e616361 64696175 2e636130 819f300d 06092a86 4886f70d

    01010105 0003818d 00308189 02818100 abbd7835 707d54de 6abbf857 60c72fbd

    c094bf1d 56c337ad b31dbf15 4e07513c c599b8ed f5737390 ebcb226c 75886f9a

    7609607c 98c0dda7 267491fb 67f14b03 d2930cdf ee2a2082 8e66761c b73e4f72

    b6680ae1 797c79ac 49a86fd6 990dfcf4 a79fd702 95cd1619 8e61e53c da48504d

    49b46c0b f7238572 0a952347 59da82f9 02030100 01a381a6 3081a330 1d060355

    1d250416 30140608 2b060105 05070301 06082b06 01050507 03023040 0603551d

    1f043930 373035a0 33a03186 2f687474 703a2f2f 63726c2e 74686177 74652e63

    6f6d2f54 68617774 65507265 6d69756d 53657276 65724341 2e63726c 30320608

    2b060105 05070101 04263024 30220608 2b060105 05073001 86166874 74703a2f

    2f6f6373 702e7468 61777465 2e636f6d 300c0603 551d1301 01ff0402 3000300d

    06092a86 4886f70d 01010505 00038181 005ede67 76cde6c7 125f4f40 63cfb175

    a0080077 7aa214f5 f0e9148c d8cf1ade 8b882f3f 5d922c09 cbcb0321 f281f95f

    3fb3e5d8 a1b32b56 97c5e019 0e363691 dbb222d3 9906d61c d72b82e5 fa82a656

    d5817dae 28462e57 10b6310a 6c9010dc 6825d5d6 85997aa0 47b9e0e4 9a3fa094

    e008d7c0 7157e5fb 7a1b137b 2ccf2a54 f6

  quit

crypto ca certificate chain ASDM_TrustPoint2

certificate ca 0851f959814145cabde024e212c9c20e

    30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30

    0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530

    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

    77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365

    72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d

    30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b

    30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049

    6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530

    23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520

    43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a

    02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675

    15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f

    28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008

    323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4

    1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f

    d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e

    91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561

    1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d

    df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302

    01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c

    01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777

    2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279

    2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079

    00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072

    00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074

    00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020

    006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020

    00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052

    0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072

    00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d

    00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064

    00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065

    00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065

    00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406

    082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a

    2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081

    843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f

    6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e

    63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e

    636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443

    412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08

    02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de

    79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3

    a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c

    9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f

    5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c

    4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d

    cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5

    108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e

    b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0

    c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5

  quit

crypto ca certificate chain ASDM_TrustPoint4

certificate 01288f785bc34867bd32c1ed63f69627

    3082064f 30820537 a0030201 02021001 288f785b c34867bd 32c1ed63 f6962730

    0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530

    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

    77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365

    72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3130 30343233

    30303030 30305a17 0d313130 36323632 33353935 395a3081 88310b30 09060355

    04061302 43413114 30120603 55040813 0b4e6f76 61205363 6f746961 31123010

    06035504 07130957 6f6c6676 696c6c65 311a3018 06035504 0a131141 63616469

    6120556e 69766572 73697479 311c301a 06035504 0b131354 6563686e 6f6c6f67

    79205365 72766963 65733115 30130603 55040314 0c2a2e61 63616469 61752e63

    6130819f 300d0609 2a864886 f70d0101 01050003 818d0030 81890281 8100ab73

    7e1529b8 30bf80f7 1ed2539e ae074063 714dbdb0 fe3c41d8 fc637bdf 1133892a

    18196e31 865a1649 e954f94d 56404eae 522c2e6f 60c1f5fb 6c4290b0 974e9364

    7e7ea92b c30ce414 495236e2 bc08a7bc ef5eafc8 9a3b7b05 215f1a49 8ed572e4

    a15035ce afaec858 6e41afb5 26255eae 96b9094c d765712e 61ceebd4 eec10203

    010001a3 82035830 82035430 1f060355 1d230418 30168014 50ea7389 db29fb10

    8f9ee501 20d4de79 994883f7 301d0603 551d0e04 16041423 b5dcbf30 8db6fcf5

    daef4793 5187e241 03e74f30 23060355 1d11041c 301a820c 2a2e6163 61646961

    752e6361 820a6163 61646961 752e6361 307f0608 2b060105 05070101 04733071

    30240608 2b060105 05073001 86186874 74703a2f 2f6f6373 702e6469 67696365

    72742e63 6f6d3049 06082b06 01050507 3002863d 68747470 3a2f2f77 77772e64

    69676963 6572742e 636f6d2f 43414365 7274732f 44696769 43657274 48696768

    41737375 72616e63 6543412d 332e6372 74300e06 03551d0f 0101ff04 04030205

    a0300c06 03551d13 0101ff04 02300030 65060355 1d1f045e 305c302c a02aa028

    86266874 74703a2f 2f63726c 332e6469 67696365 72742e63 6f6d2f63 61332d32

    30313064 2e63726c 302ca02a a0288626 68747470 3a2f2f63 726c342e 64696769

    63657274 2e636f6d 2f636133 2d323031 30642e63 726c3082 01c60603 551d2004

    8201bd30 8201b930 8201b506 0b608648 0186fd6c 01030001 308201a4 303a0608

    2b060105 05070201 162e6874 74703a2f 2f777777 2e646967 69636572 742e636f

    6d2f7373 6c2d6370 732d7265 706f7369 746f7279 2e68746d 30820164 06082b06

    01050507 02023082 01561e82 01520041 006e0079 00200075 00730065 0020006f

    00660020 00740068 00690073 00200043 00650072 00740069 00660069 00630061

    00740065 00200063 006f006e 00730074 00690074 00750074 00650073 00200061

    00630063 00650070 00740061 006e0063 00650020 006f0066 00200074 00680065

    00200044 00690067 00690043 00650072 00740020 00430050 002f0043 00500053

    00200061 006e0064 00200074 00680065 00200052 0065006c 00790069 006e0067

    00200050 00610072 00740079 00200041 00670072 00650065 006d0065 006e0074

    00200077 00680069 00630068 0020006c 0069006d 00690074 0020006c 00690061

    00620069 006c0069 00740079 00200061 006e0064 00200061 00720065 00200069

    006e0063 006f0072 0070006f 00720061 00740065 00640020 00680065 00720065

    0069006e 00200062 00790020 00720065 00660065 00720065 006e0063 0065002e

    301d0603 551d2504 16301406 082b0601 05050703 0106082b 06010505 07030230

    0d06092a 864886f7 0d010105 05000382 01010040 b27e68df 812bdf87 ca0c9e52

    8f381272 a241c0b9 efa83cd5 2876ca29 33348976 801c9c5b 1ac55f65 bdc370d3

    81fb1229 fc541368 e296786f 283ef3c9 f9f8b896 3f892cf5 6426cf54 ba8e8ec1

    88614044 62c8b5be 4aef7e42 6c2af898 1200c29a 658b16a6 1152c347 5be186e8

    55f6fe88 32b6dfe0 7ba19b95 a0b57041 09617002 f0cf6443 aa11c249 789661c6

    79206f59 0880b972 a4ac9496 31ecbce1 81aa5d99 24e85498 2b0f079e ee164c81

    8f6baf2f e4c4e438 cfc7f5c0 36c49f70 c9ba2eab d5f1c9f1 a2ae1e05 bff91221

    568888e5 2806ecd8 28471c3d 303815d0 dc735cd4 5e30d515 ad3d430d 4757fe19

    d2847f26 a0f3d835 9d8e89ee 69bc61d3 23ef20

  quit

crypto ca certificate chain ASDM_TrustPoint5

certificate 044313873b8366b9d531659000caae4a

    308206ae 30820596 a0030201 02021004 4313873b 8366b9d5 31659000 caae4a30

    0d06092a 864886f7 0d010105 05003066 310b3009 06035504 06130255 53311530

    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

    77772e64 69676963 6572742e 636f6d31 25302306 03550403 131c4469 67694365

    72742048 69676820 41737375 72616e63 65204341 2d33301e 170d3131 30343237

    30303030 30305a17 0d313230 38323931 32303030 305a306a 310b3009 06035504

    06130243 41311430 12060355 0408130b 4e6f7661 2053636f 74696131 12301006

    03550407 1309576f 6c667669 6c6c6531 1a301806 0355040a 13114163 61646961

    20556e69 76657273 69747931 15301306 03550403 140c2a2e 61636164 6961752e

    63613082 0122300d 06092a86 4886f70d 01010105 00038201 0f003082 010a0282

    010100a1 eadbaaf5 b331dee0 7b89bf3c 1afe06b8 08a6678e a9ef4c57 bc3219ab

    2c5a3bb2 3cbf46bd 5fd1045e e3170d9d 3f415845 3b998602 0272ed7a 7885bac8

    a0e2d596 81c84e20 db011a63 7b17af85 4c208690 03a7327f 41b2afa2 2e03827e

    ee74740b 0aa889a2 8914d54d c723591d edf8c8a7 45831e81 5b79e9e3 7426503a

    db97b940 75f9569a a4da8f0a 1f93d3c4 e6ea4508 167996a3 018cdbc2 ad2d2fd5

    7ee818aa b7daa435 49ef6709 a7fc3266 c42f5920 6391d3d1 3eec4296 5ece3c13

    6243a5e4 b28bdced 561671c3 7f21d8b7 6fa6af07 3b75c62f 2e2beebf be68aed9

    2ae536b0 c7801084 c275ea7a d15e421f 638ff30a 511e025d ff1a3287 b08f0ad6

    40837902 03010001 a3820352 3082034e 301f0603 551d2304 18301680 1450ea73

    89db29fb 108f9ee5 0120d4de 79994883 f7301d06 03551d0e 04160414 ded7425e

    31072740 4606c546 9e7a3453 19577f79 30230603 551d1104 1c301a82 0c2a2e61

    63616469 61752e63 61820a61 63616469 61752e63 61308201 c4060355 1d200482

    01bb3082 01b73082 01b30609 60864801 86fd6c01 01308201 a4303a06 082b0601

    05050702 01162e68 7474703a 2f2f7777 772e6469 67696365 72742e63 6f6d2f73

    736c2d63 70732d72 65706f73 69746f72 792e6874 6d308201 6406082b 06010505

    07020230 8201561e 82015200 41006e00 79002000 75007300 65002000 6f006600

    20007400 68006900 73002000 43006500 72007400 69006600 69006300 61007400

    65002000 63006f00 6e007300 74006900 74007500 74006500 73002000 61006300

    63006500 70007400 61006e00 63006500 20006f00 66002000 74006800 65002000

    44006900 67006900 43006500 72007400 20004300 50002f00 43005000 53002000

    61006e00 64002000 74006800 65002000 52006500 6c007900 69006e00 67002000

    50006100 72007400 79002000 41006700 72006500 65006d00 65006e00 74002000

    77006800 69006300 68002000 6c006900 6d006900 74002000 6c006900 61006200

    69006c00 69007400 79002000 61006e00 64002000 61007200 65002000 69006e00

    63006f00 72007000 6f007200 61007400 65006400 20006800 65007200 65006900

    6e002000 62007900 20007200 65006600 65007200 65006e00 63006500 2e307b06

    082b0601 05050701 01046f30 6d302406 082b0601 05050730 01861868 7474703a

    2f2f6f63 73702e64 69676963 6572742e 636f6d30 4506082b 06010505 07300286

    39687474 703a2f2f 63616365 7274732e 64696769 63657274 2e636f6d 2f446967

    69436572 74486967 68417373 7572616e 63654341 2d332e63 7274300c 0603551d

    130101ff 04023000 30650603 551d1f04 5e305c30 2ca02aa0 28862668 7474703a

    2f2f6372 6c332e64 69676963 6572742e 636f6d2f 6361332d 32303131 642e6372

    6c302ca0 2aa02886 26687474 703a2f2f 63726c34 2e646967 69636572 742e636f

    6d2f6361 332d3230 3131642e 63726c30 1d060355 1d250416 30140608 2b060105

    05070301 06082b06 01050507 0302300e 0603551d 0f0101ff 04040302 05a0300d

    06092a86 4886f70d 01010505 00038201 01004ab2 a4135e6f c73d5970 6756260f

    e693b61a fc1be77d e23a5c4c 7bfe43fb 9b704285 f48eb6b8 5cfa2a2b aa9b3c08

    5c4ec3d1 6862b94f 3b201f49 813bd974 8b4fd03f 3480037d 0dfed35b 6a28bd42

    35630eda 6a52ba3d 1e869e87 10d93081 5fdb2355 e3b747e9 0b914d0e 10948823

    54805613 8168ba0b 9273b4f7 e55a0df4 749589e0 4d3cb1b4 0f03b512 aa8d163c

    d50346a1 6839a785 9be81b83 e5f9ef90 1fc60704 8fc5bc43 a2f28197 e5574834

    e7395d11 89357230 f8cf15d2 a82fd68e eb3b98e0 1c494b79 6d4cf6fb e406c7b0

    b23bf3e2 ae5eedfb 10bcdb84 2fca761f 3c04aeaf 253ec7af 496c00f7 c3a04c8f

    ca5c9c70 7ea0c5ca 018ec106 4a3b37ab 5bb7

  quit

certificate ca 0851f959814145cabde024e212c9c20e

    30820655 3082053d a0030201 02021008 51f95981 4145cabd e024e212 c9c20e30

    0d06092a 864886f7 0d010105 0500306c 310b3009 06035504 06130255 53311530

    13060355 040a130c 44696769 43657274 20496e63 31193017 06035504 0b131077

    77772e64 69676963 6572742e 636f6d31 2b302906 03550403 13224469 67694365

    72742048 69676820 41737375 72616e63 65204556 20526f6f 74204341 301e170d

    30373034 30333030 30303030 5a170d32 32303430 33303030 3030305a 3066310b

    30090603 55040613 02555331 15301306 0355040a 130c4469 67694365 72742049

    6e633119 30170603 55040b13 10777777 2e646967 69636572 742e636f 6d312530

    23060355 0403131c 44696769 43657274 20486967 68204173 73757261 6e636520

    43412d33 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a

    02820101 00bf610a 29101f5e fe343751 08f81efb 22ed61be 0b0d704c 50632675

    15b94188 97b6f0a0 15bb0860 e042e805 29108736 8a2865a8 ef310774 6d36972f

    28466604 c72a7926 7a99d58e c36d4fa0 5eadbc3d 91c2597b 5e366cc0 53cf0008

    323e1064 58101369 c70cee9c 425100f9 0544ee24 ce7a1fed 8c11bd12 a8f315f4

    1c7a3169 011ba7e6 5dc09a6c 7e099ee7 52444a10 3a23e49b b603afa8 9cb45b9f

    d44bad92 8cceb511 2aaa3718 8db4c2b8 d85c068c f8ff23bd 355ed47c 3e7e830e

    91960598 c3b21fe3 c865eba9 7b5da02c ccfc3cd9 6dedccfa 4b438cc9 d4b8a561

    1cb240b6 2812dfb9 f85ffed3 b2c9ef3d b41e4b7c 1c4c9936 9e3debec a7685e1d

    df676e5e fb020301 0001a382 02f73082 02f3300e 0603551d 0f0101ff 04040302

    01863082 01c60603 551d2004 8201bd30 8201b930 8201b506 0b608648 0186fd6c

    01030002 308201a4 303a0608 2b060105 05070201 162e6874 74703a2f 2f777777

    2e646967 69636572 742e636f 6d2f7373 6c2d6370 732d7265 706f7369 746f7279

    2e68746d 30820164 06082b06 01050507 02023082 01561e82 01520041 006e0079

    00200075 00730065 0020006f 00660020 00740068 00690073 00200043 00650072

    00740069 00660069 00630061 00740065 00200063 006f006e 00730074 00690074

    00750074 00650073 00200061 00630063 00650070 00740061 006e0063 00650020

    006f0066 00200074 00680065 00200044 00690067 00690043 00650072 00740020

    00430050 002f0043 00500053 00200061 006e0064 00200074 00680065 00200052

    0065006c 00790069 006e0067 00200050 00610072 00740079 00200041 00670072

    00650065 006d0065 006e0074 00200077 00680069 00630068 0020006c 0069006d

    00690074 0020006c 00690061 00620069 006c0069 00740079 00200061 006e0064

    00200061 00720065 00200069 006e0063 006f0072 0070006f 00720061 00740065

    00640020 00680065 00720065 0069006e 00200062 00790020 00720065 00660065

    00720065 006e0063 0065002e 300f0603 551d1301 01ff0405 30030101 ff303406

    082b0601 05050701 01042830 26302406 082b0601 05050730 01861868 7474703a

    2f2f6f63 73702e64 69676963 6572742e 636f6d30 818f0603 551d1f04 81873081

    843040a0 3ea03c86 3a687474 703a2f2f 63726c33 2e646967 69636572 742e636f

    6d2f4469 67694365 72744869 67684173 73757261 6e636545 56526f6f 7443412e

    63726c30 40a03ea0 3c863a68 7474703a 2f2f6372 6c342e64 69676963 6572742e

    636f6d2f 44696769 43657274 48696768 41737375 72616e63 65455652 6f6f7443

    412e6372 6c301f06 03551d23 04183016 8014b13e c36903f8 bf4701d4 98261a08

    02ef6364 2bc3301d 0603551d 0e041604 1450ea73 89db29fb 108f9ee5 0120d4de

    79994883 f7300d06 092a8648 86f70d01 01050500 03820101 005d4f84 f1a888d3

    a3b2bc9c 6de52949 77e1e7d6 dca9d835 aec971dc e5dbdc9d 242190a6 cfb7011c

    9bd45797 91d77516 a512d7b9 3d2e893d 39698ad6 3537f9f1 21c45b40 ad59a92f

    5f3a0029 43277103 e4bd3032 55a6fe84 0e0b9b38 192c437c ac43bf75 31e5231c

    4555b769 0891b5cf d7d5b15e ee9f94e4 d67ab918 c3b8d652 631c10ba 8b2f6d5d

    cc0538f4 56056def 9eece861 360c144b 85145a0c 834f225c 59cb8c8a 71dafac5

    108458cf 07eee390 c2f5f929 c75a2371 f959b464 2b88b0a7 36c79a20 61ebfa4e

    b5ae6b1b e4e3ece2 d93c4149 a820a454 f5928dbb c0552004 a6d8b017 16cce3d0

    c8b43de5 d984c6d3 f66e6d78 c97943e8 7a37ff5c 3549bfa1 c5

  quit

no crypto isakmp nat-traversal

crypto ikev1 enable outside

crypto ikev1 enable inside

crypto ikev1 ipsec-over-tcp port 12777

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

telnet 131.162.137.86 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh acadia 255.255.0.0 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 131.162.200.8 source inside prefer

ssl trust-point ASDM_TrustPoint5 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3054-k9.pkg 1

anyconnect image disk0:/anyconnect-macosx-i386-2.5.3054-k9.pkg 2

anyconnect image disk0:/anyconnect-linux-2.5.3054-k9.pkg 4

anyconnect image disk0:/anyconnect-win-2.5.2019-k9.pkg 5

anyconnect image disk0:/anyconnect-macosx-i386-2.5.2019-k9.pkg 6

anyconnect image disk0:/anyconnect-linux-2.5.2019-k9.pkg 7

anyconnect image disk0:/anyconnect-win-2.4.0202-k9.pkg 8

anyconnect image disk0:/anyconnect-macosx-i386-2.4.0202-k9.pkg 9

anyconnect enable

internal-password enable

smart-tunnel list AllExternalApplications All-Applications * platform windows

cache

  cache-static-content enable

error-recovery disable

group-policy pbx-policy internal

group-policy pbx-policy attributes

dns-server value 131.162.200.67 131.162.200.66

vpn-tunnel-protocol ikev1 l2tp-ipsec

address-pools value PBX-Pool

group-policy DfltGrpPolicy attributes

webvpn

  customization value Acadia

  smart-tunnel enable AllExternalApplications

group-policy acadia-standard internal

group-policy acadia-standard attributes

dns-server value 131.162.200.67 131.162.200.66

vpn-tunnel-protocol ikev1 l2tp-ipsec

address-pools value Acadia-Pool

webvpn

  customization value Acadia

group-policy acadia-library internal

group-policy acadia-library attributes

dns-server value 131.162.200.67 131.162.200.66

vpn-tunnel-protocol ikev1 l2tp-ipsec

address-pools value Acadia-Pool

webvpn

  customization value Acadia

group-policy AcadiaSSLPolicy internal

group-policy AcadiaSSLPolicy attributes

dns-server value 131.162.200.67 131.162.200.66

vpn-tunnel-protocol ssl-client ssl-clientless

address-pools value Acadia-Pool

webvpn

  url-list value NewList

  customization value Ryan

  hidden-shares none

  activex-relay disable

  file-entry enable

  file-browsing enable

  url-entry enable

group-policy split internal

group-policy split attributes

dns-server value 131.162.200.67 131.162.200.66

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

address-pools value Acadia-Pool

username pbxvpn password * encrypted privilege 15

username pbxvpn attributes

service-type admin

username ASAADMIN password * encrypted privilege 15

username retired password * nt-encrypted

username retired attributes

service-type remote-access

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group Acadia-AD LOCAL

authorization-server-group LOCAL

default-group-policy AcadiaSSLPolicy

tunnel-group DefaultWEBVPNGroup webvpn-attributes

customization Ryan

tunnel-group acadia-standard type remote-access

tunnel-group acadia-standard general-attributes

address-pool Acadia-Pool

authentication-server-group Acadia-AD LOCAL

default-group-policy acadia-standard

tunnel-group acadia-standard ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group acadia-library type remote-access

tunnel-group acadia-library general-attributes

address-pool Acadia-Pool

authentication-server-group Acadia-AD LOCAL

default-group-policy acadia-library

tunnel-group acadia-library ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group AcadiaSSL type remote-access

tunnel-group AcadiaSSL general-attributes

address-pool Acadia-Pool

authentication-server-group Acadia-AD LOCAL

default-group-policy AcadiaSSLPolicy

tunnel-group AcadiaSSL webvpn-attributes

customization Acadia

group-alias SSL enable

group-url https://131.162.6.3/SSL enable

tunnel-group pbx-policy type remote-access

tunnel-group pbx-policy general-attributes

address-pool PBX-Pool

authorization-server-group LOCAL

tunnel-group pbx-policy ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group ACSBE type remote-access

tunnel-group ACSBE general-attributes

address-pool Acadia-Pool

authentication-server-group Acadia-AD

default-group-policy split

tunnel-group ACSBE ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 142.166.74.148 type ipsec-l2l

tunnel-group 142.166.74.148 general-attributes

default-group-policy pbx-policy

tunnel-group 142.166.74.148 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

  inspect icmp error

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email [email protected]

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:6d08fbcfbb824dab26658d852c513740


END ASA CONFIG


The DIR-130 has 192.168.5.0/24 local subnet behind it, and we would like anyone who is behind the DIR-130 to have  access to anything on our 131.162.0.0/16 subnet (where the ASA lives) through the secure tunnel.  I would like the tunnel to be as secure as is suitable for financial data, but I am not really sure what the requirements are beyond that.  Having any kind of IPSec  tunnel up between the two boxes would be sufficient, i should think.


I apologize if our ASA config is snarled.  It is a matter of "too many cooks" over the years, and there is likely a lot of dead wood in that config.  The box is in daily use, so I fear digging in it too much to root out the cruft because, as I said, I don't REALLY know what I'm doing in there.


Thank you for your reply.

Jennifer Halim Wed, 07/18/2012 - 08:44
User Badges:
  • Cisco Employee,

What has been configured on the router end? Can you please share the config?


Can you also share the output of the following:

show cry isa sa

show cry ipsec sa peer


On the ASA, you would need to configure NAT exemption and pre-shared-key as follows:

object network local-VPN

  subnet 131.162.0.0 255.255.0.0

object network remote-VPN

  subnet 192.168.5.0 255.255.255.0

nat (inside,outside) source static local-VPN local-VPN destination static remote-VPN remote-VPN

tunnel-group DefaultL2LGroup ipsec-attributes

   pre-shared-key

sean.a.murphy Wed, 07/18/2012 - 08:57
User Badges:

The router end (you mean the DIR130, I presume) is very simplistic. I have attached an image of it's VPN config.


I have to ask, is it possible that adding those lines of config you provided will interrupt the Remote Access clients or the site to site that is already in place?


Result of the command: "show cry isa sa"


IKEv1 SAs:

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 142.166.74.148

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 142.177.65.249

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

There are no IKEv2 SAs


When you say do you mean the IP that the DIR130 currently has?  There will be nothing for that, as I do not currently have any working configuration in place.



Result of the command: "show cry ipsec sa peer 24.215.86.154"

There are no ipsec sas for peer 24.215.86.154

       

Jennifer Halim Wed, 07/18/2012 - 09:08
User Badges:
  • Cisco Employee,

No, it will not interrupt the existing configuration as it will only affect the vpn tunnel to Dlink.


On your DLink configuration, under Remote IP, shouldn't you configured the IP Address (131.162.6.3) ?


Please also change the following:

FROM:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

TO:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group2

sean.a.murphy Wed, 07/18/2012 - 09:13
User Badges:

Good point. That fqdn resolves to 131.162.6.3, but i have made the change on the 130.  I also implemented your suggested changes on the ASA.  Nothing has come up as of yet.

Jennifer Halim Wed, 07/18/2012 - 09:17
User Badges:
  • Cisco Employee,

Did you try to access the ASA LAN subnet from your DLINK LAN subnet? Try to ping from a host behind DLINK towards a host on ASA LAN and see if that brings up the tunnel?


Please also share the output of the following after trying to initiate the tunnel:

show cry isa sa

show cry ipsec sa peer

sean.a.murphy Wed, 07/18/2012 - 09:19
User Badges:

pinging hosts from behind the dlink box gives timeouts.


ciscoasa# show cry isa sa

IKEv1 SAs:

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 142.166.74.148

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 142.177.65.249

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

There are no IKEv2 SAs

ciscoasa# show cry ipsec sa peer 24.215.86.154

There are no ipsec sas for peer 24.215.86.154



Jennifer Halim Wed, 07/18/2012 - 09:23
User Badges:
  • Cisco Employee,

Does it work if you choose "Main Mode" instead of Agressive mode on DLINK?


Also, pls run debugs on ASA to further troubleshoot the issue:

debug cry ikev1

debug cry ipsec

sean.a.murphy Wed, 07/18/2012 - 09:29
User Badges:

When I switched to main mode, it definately made more forward motion.  Now the tunnel looks like it's up.  Traffic still doesn't seem to be flowing as I expect as I cannot talk to anything on campus from behind the DLINK.  Here's what I got now:


ciscoasa# show cry isa sa

IKEv1 SAs:

   Active SA: 3

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 3

1   IKE Peer: 142.166.74.148

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 142.177.65.249

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

3   IKE Peer: 24.215.86.154

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

ciscoasa# show cry ipsec sa peer 24.215.86.154

peer address: 24.215.86.154

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 131.162.6.3

      local ident (addr/mask/prot/port): (131.162.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)

      current_peer: 24.215.86.154

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 131.162.6.3/0, remote crypto endpt.: 24.215.86.154/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: BB048730

      current inbound spi : CC78ABFE

    inbound esp sas:

      spi: 0xCC78ABFE (3430460414)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 191459328, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3556

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00FFFFFF

    outbound esp sas:

      spi: 0xBB048730 (3137636144)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 191459328, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 3554

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Jennifer Halim Wed, 07/18/2012 - 09:36
User Badges:
  • Cisco Employee,

Excellent... traffic is getting as far as the ASA (decrypts counters increasing), however there is no return traffic.


From the host behind DLINK, can you ping 131.162.160.2?


The host that you are trying to ping earlier behind the ASA, does it have route back towards the ASA inside interface?

sean.a.murphy Wed, 07/18/2012 - 09:44
User Badges:

I cannot ping 131.162.160.2 from behind the DLINK. Times out.


Yes. From the host I was attempting to ping (my desktop, 131.162.137.86) I am able to ping the ASA inside interface, so I assume all routing is proper.

Jennifer Halim Wed, 07/18/2012 - 09:47
User Badges:
  • Cisco Employee,

Well, not necessarily... ASA inside interface has different IP than host behind DLINK so routing might be different.

If you run traceroute from your desktop to a host behind DLINK, does it work? or ping from your desktop towards a host behind DLINK.


Also ensure that your desktop firewall is disabled or you have a rule to allow the ICMP as typically inbound ping from different subnet is blocked by desktop firewall if you have one enabled.

Jennifer Halim Wed, 07/18/2012 - 09:48
User Badges:
  • Cisco Employee,

What is the ip address behind dlink that you are pinging from?

sean.a.murphy Wed, 07/18/2012 - 09:55
User Badges:

The host behind the dlink has IP 192.168.5.100. 


Pardon my ignorance, but I am only used to dealing with VPN remote access clients, not site to site..  I know that remote-access clients (those using the Cisco VPN client) get assigned an ip from our pool of 131.162.64.0/24 (the VPN subnet), but I have no idea how site to site works in terms of routing and IPs assigned.


We use a Cisco 6509 as our internet facing router on campus, will I need to add configuration to that router to allow traffic to flow through this site to site?  I know that when Bell Aliant set up the other site to site we have on the ASA, they did not need to touch the 6509 to complete their configuration, so I assumed we wouldn't for this project, either.


Thank you for your patience in helping me with this. 

Correct Answer
Jennifer Halim Wed, 07/18/2012 - 10:00
User Badges:
  • Cisco Employee,

You would need to configure static route on the 6509 for 192.168.5.0/24 towards the ASA inside interface:


ip route 192.168.5.0 255.255.255.0 131.162.160.2


Assuming that 131.162.160.1 is your 6509

sean.a.murphy Wed, 07/18/2012 - 10:03
User Badges:

well dog my cats.  there it goes.  Spectacular!


I can now access stuff on campus from behind the DLINK.  I have created a small web page on an on-campus server that spits out the IP you are coming from and it returns:


Your IP is: 192.168.5.100


Awesome.  Now, since they will ask, is there any way to absolutely ensure that this traffic is encrypted?

Correct Answer
Jennifer Halim Wed, 07/18/2012 - 10:05
User Badges:
  • Cisco Employee,

Excellent...


Yes, just check the output of "show cry ipsec sa peer ", and if you see the encrypts and decrypts counters increasing, you are all good.

sean.a.murphy Wed, 07/18/2012 - 10:10
User Badges:

This has been one heck of a learning experience after a whole week of me bashing my head against the wall.. Thank you so much.

sean.a.murphy Wed, 07/18/2012 - 10:19
User Badges:

One final question: 


If I wanted to set up a second DLINK elsewhere, can I just do:


object network remote-VPN<-incrementing-number>

  subnet 192.168..0 255.255.255.0

nat (inside,outside) source static local-VPN local-VPN destination static remote-VPN<-number> remote-VPN<-number>


and add another line on the 6509:


ip route 192.168..0 255.255.255.0 131.162.160.2


Then duplicate the config from this DLINK box to another one, changing only the private network number to match the new lines of config?

sean.a.murphy Thu, 07/19/2012 - 04:42
User Badges:

You thought you were done with me, I bet!


One really final question.. The connection between the DLINK and our ASA seems to not stay up permanently.  The point of sale equipment on the DLINK side will lose connection, and i have to restart it, or try a few transactions that fail, and then link will eventually come back up.


Is there a way on the ASA side to force it to stay up, or some such thing?  The Dead Peer Detection and Keepalives on the dlink side don't appear enough, or else I have to enable it on the ASA side as well.

Jennifer Halim Thu, 07/19/2012 - 06:39
User Badges:
  • Cisco Employee,


Since keepalive between different third party product is not supported, pls turn off keepalive on both end.

On your DLINK, choose None for Keepalive/DPD.


Also, your lifetime is set to 3600 seconds, so if you want to lengthen it on both end, it can stay longer, or alternatively you can run continous ping to keep the VPN tunnel up all the time. There needs to be traffic through the tunnel after the lifetime expired to keep the tunnel up and reset the timer, otherwise, after 3600 seconds, if there is no traffic, it will tear down the vpn tunnel until you initiate the tunnel again.

sean.a.murphy Thu, 07/19/2012 - 06:51
User Badges:

I've disabled keepalives on both ends..  I've increased the lifetime on the dlink to 7200 (the max it allows).  Can you give me some tips on how to change it on the ASA? 


Can I have something on-campus set up to ping the off campus Point of Sale devices behind their dlink ends to keep the tunnels up? 

Jennifer Halim Thu, 07/19/2012 - 07:17
User Badges:
  • Cisco Employee,

On the ASA, pls configure the following:


no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 7200


Yes, you can setup ping from your campus towards the POS devices, however, the VPN tunnel needs to be initiated from the DLINK end. Once the tunnel is established, ping from campus towards POS will keep the tunnel up.

sean.a.murphy Thu, 07/19/2012 - 07:21
User Badges:

Are you sure?  The DLINK has settings for both IKE Lifetime (28800) and IPSec Lifetime (7200).  When I ran those commands the tunnel went down and hasn't come back up.

sean.a.murphy Thu, 07/19/2012 - 07:23
User Badges:

disregard, it just came back up.. but please confirm that those settings change the correct lifetime.

sean.a.murphy Thu, 07/19/2012 - 07:26
User Badges:

Thanks. Didn't mean to doubt you!


Its up and waiting again.  I'll let it sit to ensure it stays up this time.  Would the ping I set up have to be continuous, or would a ping every 30 minutes be sufficient to keep the connection alive?

Jennifer Halim Thu, 07/19/2012 - 07:29
User Badges:
  • Cisco Employee,

I would do every 5 minutes instead of 30 minutes because rekey typically happens before the lifetime expires, and if you do 30 minutes, it would be too long and it might expire before you have a chance to keep the tunnel alive.

Actions

This Discussion

Related Content