cancelar
Mostrando los resultados de 
Buscar en lugar de 
Quiere decir: 
Avisos
¡Bienvenido a la nueva Comunidad de Soporte de Cisco! Nos encantaría conocer su opinión
New Member

VPN Site to Site entre ASA 5500

Hola a todos, esta es mi primera vez en este foro y la verdad necesito que me ayuden con una VPN Site to Site entre dos ASA 5500.

Mi configuración es la siguiente: En el un extremo tengo un router , el firewall y la lan. En el otro extremo tengo directamente el firewall y a la lan.

Cabe recalcar que en el router no tengo nada configurado.

Adjunto la configuración de los dos equipos:

Conectado al router: En este equipo tengo varias configuraciones así que solo están las que pertenecen a la vpn:

ASA Version 8.2(1)

!

hostname fw-uniplex

domain-name uniplexsystems.com

enable password 4F6k2JNJqtsRnlmV encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

name 192.168.10.0 Uniplex_GYE

name 192.168.0.0 Uniplex-UIO

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.0.254 255.255.255.0

!

interface Vlan11

nameif outside1

security-level 0

ip address 190.108.64.238 255.255.255.240

!

interface Ethernet0/0

switchport access vlan 11

!

interface Ethernet0/1

switchport access vlan 11

!

interface Ethernet0/2

switchport access vlan 11

!

interface Ethernet0/3

switchport access vlan 21

!

interface Ethernet0/4

switchport access vlan 31

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

speed 100

duplex full

!

!

time-range Horario-Oficina

periodic daily 7:00 to 18:00

!

access-list inside_access_in remark Permisos para conexion VPN Site-to-Site

access-list inside_access_in extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0

access-list inside_access_in remark Permisos para puertos generales de la red local Uniplex

access-list inside_access_in extended permit object-group Uniplex_Interno Uniplex-UIO 255.255.255.0 any

access-list inside_access_in extended permit ip Uniplex-UIO 255.255.255.0 any

access-list inside_access_in remark Permisos para ping

access-list inside_access_in extended permit icmp any any

access-list outside1_access_in remark Permisos para respuesta icmp

access-list outside1_access_in extended permit icmp any any

access-list outside1_1_cryptomap extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0

access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0

access-list outside1_access_in_1 extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 65000

logging console debugging

logging monitor debugging

logging buffered debugging

logging trap errors

logging asdm informational

logging host inside GestionRed_Interno

mtu inside 1500

mtu outside1 1500

ip verify reverse-path interface inside

ip verify reverse-path interface outside1

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside1

asdm image disk0:/asdm-621.bin

no asdm history enable

arp timeout 14400

global (outside1) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 Uniplex-UIO 255.255.255.0

route outside1 0.0.0.0 0.0.0.0 Router_Borde 1

route outside1 Uniplex_GYE 255.255.255.0 Router_Borde 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

http server enable

http Uniplex-UIO 255.255.0.0 inside

http 0.0.0.0 0.0.0.0 outside1

snmp-server host inside GestionRed_Interno community Uni2o11 version 2c

snmp-server location UNIPLEX QUITO

snmp-server contact SOPORTE NW

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside1_map 1 match address outside1_1_cryptomap

crypto map outside1_map 1 set pfs group1

crypto map outside1_map 1 set peer 190.90.139.42

crypto map outside1_map 1 set transform-set ESP-3DES-SHA

crypto map outside1_map 1 set security-association lifetime seconds 28800

crypto map outside1_map 1 set security-association lifetime kilobytes 4608000

crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside1_map interface outside1

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=fw-uniplex

proxy-ldc-issuer

crl configure

crypto ca server

shutdown

crypto isakmp identity address

crypto isakmp enable outside1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000 80

crypto isakmp disconnect-notify

telnet timeout 5

ssh Uniplex-UIO 255.255.255.0 inside

ssh timeout 10

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

wccp web-cache redirect-list wccp group-list wccp_ce

wccp 70 redirect-list wccp-https group-list wccp_ce

wccp interface inside web-cache redirect in

wccp interface inside 70 redirect in

ntp server 72.18.205.157 source outside1

ntp server 155.101.3.114 source outside1

ntp server 67.202.107.55 source outside1 prefer

webvpn

enable outside1

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

tunnel-group 190.90.139.42 type ipsec-l2l

tunnel-group 190.90.139.42 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:30c1b789b4c3d2d2ef5fe8099163714c

: end

no asdm history enable

Firewall conectado a la nube:

:
ASA Version 8.2(1)
!
hostname fw-gye-uniplex
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.0 Red_GYE
name 192.168.0.0 Red_UIO
name 190.108.64.238 firewall-uio
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.150 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address 190.108.64.236 255.255.255.240
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone ECT -5
dns domain-lookup inside
dns domain-lookup outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
access-list inside_access_in extended permit ip Red_GYE 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
access-list inside_nat0_outbound extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Red_GYE 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 190.108.64.225 1
route outside Red_UIO 255.255.255.0 190.108.64.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http Red_GYE 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http Red_UIO 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer firewall-uio
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 80
crypto isakmp disconnect-notify
telnet timeout 5
ssh Red_GYE 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd address 192.168.10.10-192.168.10.100 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 72.18.205.157 source outside
ntp server 155.101.3.114 source outside
ntp server 67.202.107.55 source outside prefer
webvpn
enable outside
username
tunnel-group 190.108.64.238 type ipsec-l2l
tunnel-group 190.108.64.238 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fb1a0b90d9f4046f6aa8004e162de792
: end
asdm location Red_UIO 255.255.255.0 inside
asdm location firewall-uio 255.255.255.255 inside
no asdm history enable

Les agradecería mucho de que alguien me pudiera ayudar.

9 RESPUESTAS
Cisco Employee

Re: VPN Site to Site entre ASA 5500

Hola Daniela,

Veo que las interfaces Outside de los dos FWs se encuentran en la misma red, aunque en la descripción del segundo ASA mencionas que esta conectado a la nube; podrias aclarar esto por favor?

No hay nada de malo en configurar un L2L entre 2 ASAs que se encuentran en el mismo segmento de red pero la verdad no es nada comun.

Despues de ver las configuraciones esta sería tu topologia:

           +-------+                     +-------+
           |ASA1   |       L2L           |ASA2   |
    +------+       +---------------------+       +----------+
    |      +-------+                     +-------+          |
    |                                                       |
 +------+                                                +------+
 192.168.0.0/24                                           192.168.10.0/24

En el ASA 1 necesitas lo siguiente:

no crypto map outside1_map 1 set peer 190.90.139.42

crypto map outside1_map 1 set peer 190.108.64.236

tunnel-group 190.108.64.236 type ipsec-l2l

tunnel-group 190.108.64.236 ipsec-attributes

  pre-shared-key

No entiendo por que decidiste deshabilitar los keepalives pero te recomiendo activarlos de nuevo.

Además te comparto este link en caso de que lo necesites:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

-Gustavo

New Member

Re: VPN Site to Site entre ASA 5500

Gracias Gustavo por tu respuesta, es verdad los dos outside están en la misma red, puesto que en este momento estoy simulando dos redes diferentes antes de ponerlo en producción. Por tal motivo las dos ips de la outside están en el mismo segmento de red.

Lo que en realidad sería es conectar una vpn entre la outside 190.108.64.238 y la 190.90.139.42

Lo que te comentaba del router es que mi red local está conectada al firewall y luego a un router. En cambio, la red remota está conectada al firewall y va directamente a la nube. Quería aclarar este punto, pues pensaba que el router tenía algo que ver con que no se levante el tunel VPN.

La configuración real de los dos equipos  que están en prueba antes de llevarlo a producción es la siguiente: Ya habilité el keepalive pero no logro hacer ping

ASA 1

: Saved
:
ASA Version 8.2(1)
!
hostname fw-uniplex
domain-name uniplexsystems.com
enable password 4F6k2JNJqtsRnlmV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.0 Uniplex_GYE
name 192.168.0.0 Uniplex-UIO description Red LAN Uniplex UIO
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.254 255.255.255.0
!
interface Vlan11
nameif outside1
security-level 0
ip address 190.108.64.238 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 11
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
switchport access vlan 11
!
interface Ethernet0/3
switchport access vlan 21
!
interface Ethernet0/4
switchport access vlan 31
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
speed 100
duplex full
!
!
time-range Horario-Oficina
periodic daily 7:00 to 18:00
!
object-group network net-local
network-object Uniplex-UIO 255.255.255.0
object-group network net-remote
network-object Uniplex_GYE 255.255.255.0
access-list inside_access_in remark Permisos para conexion VPN Site-to-Site
access-list inside_access_in extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0
access-list inside_access_in remark Permisos para puertos generales de la red local Uniplex
access-list inside_access_in extended permit object-group Uniplex_Interno Uniplex-UIO 255.255.255.0 any
access-list inside_access_in extended permit ip Uniplex-UIO 255.255.255.0 any
access-list inside_access_in remark Permisos para ping
access-list inside_access_in extended permit icmp any any
access-list outside1_access_in remark Permisos para respuesta icmp
access-list outside1_access_in extended permit icmp any any
access-list outside1_1_cryptomap extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0
access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0
access-list outside1_access_in_1 extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 65000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside GestionRed_Interno
mtu inside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside1
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Uniplex-UIO 255.255.255.0
access-group inside_access_in in interface inside
access-group outside1_access_in in interface outside1
route outside1 0.0.0.0 0.0.0.0 Router_Borde 1
route outside1 Uniplex_GYE 255.255.255.0 Router_Borde 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
http server enable
http Uniplex-UIO 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside1
snmp-server host inside GestionRed_Interno community Uni2o11 version 2c
snmp-server location UNIPLEX QUITO
snmp-server contact SOPORTE NW
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map 1 match address outside1_1_cryptomap
crypto map outside1_map 1 set pfs group1
crypto map outside1_map 1 set peer 190.108.64.236
crypto map outside1_map 1 set transform-set ESP-3DES-SHA
crypto map outside1_map 1 set security-association lifetime seconds 28800
crypto map outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map interface outside1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=fw-uniplex
crypto isakmp identity address
crypto isakmp enable outside1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 80
crypto isakmp disconnect-notify
telnet timeout 5
ssh Uniplex-UIO 255.255.255.0 inside
ssh timeout 10
console timeout 0

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp web-cache redirect-list wccp group-list wccp_ce
wccp 70 redirect-list wccp-https group-list wccp_ce
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in
ntp server FTP_Interno source inside
ntp server 72.18.205.157 source outside1
ntp server 155.101.3.114 source outside1
ntp server 67.202.107.55 source outside1 prefer
webvpn
enable outside1

tunnel-group 190.108.64.236 type ipsec-l2l
tunnel-group 190.108.64.236 ipsec-attributes
pre-shared-key *

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:30c1b789b4c3d2d2ef5fe8099163714c
: end

no asdm history enable

En este equipo tengo varias configuraciones, pero todas las reglas de VPN están antes de todas las demás, aquí solamente te mostré las que tengo configurada para la VPN.

ASA 2

: Saved
:
ASA Version 8.2(1)
!
hostname fw-gye-uniplex
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.10.0 Red_GYE
name 192.168.0.0 Red_UIO
name 190.108.64.238 firewall-uio
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.150 255.255.255.0
!
interface Vlan11
nameif outside
security-level 0
ip address 190.108.64.236 255.255.255.240
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 11
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
ftp mode passive
clock timezone ECT -5
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 190.108.65.3
name-server 190.108.64.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
access-list inside_access_in extended permit ip Red_GYE 255.255.255.0 any
access-list inside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_1_cryptomap extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
access-list inside_nat0_outbound extended permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 Red_GYE 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 190.108.64.225 1
route outside Red_UIO 255.255.255.0 190.108.64.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http Red_GYE 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http Red_UIO 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer firewall-uio
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 80
crypto isakmp disconnect-notify
telnet timeout 5
ssh Red_GYE 255.255.255.0 inside
ssh timeout 10
console timeout 0
dhcpd dns 190.108.65.3 190.108.64.2
dhcpd auto_config outside
!
dhcpd address 192.168.10.10-192.168.10.100 inside
dhcpd dns 190.108.65.3 190.108.64.2 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 72.18.205.157 source outside
ntp server 155.101.3.114 source outside
ntp server 67.202.107.55 source outside prefer
webvpn
enable outside
username dsoria password 8gMpzvKlIuaUSxjg encrypted privilege 15
tunnel-group 190.108.64.238 type ipsec-l2l
tunnel-group 190.108.64.238 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:52b6822d09d3ec828bb0c09c04e1f30a
: end

Adicional ejecuté los comandos sh crypto isakmp sa y sh crypto ipsec sa y tengo los siguientes datos:

ASA 1

fw-uniplex# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1  IKE Peer: 190.108.64.236
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

fw-uniplex# sh crypto ipsec sa

interface: outside1

Crypto map tag: outside1_map, seq num: 1, local addr: 190.108.64.238

      access-list outside1_1_cryptomap permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0
      local ident (addr/mask/prot/port): (Uniplex-UIO/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (Uniplex_GYE/255.255.255.0/0/0)
      current_peer: 190.108.64.236

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 75, #pkts decrypt: 75, #pkts verify: 75
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 190.108.64.238, remote crypto endpt.: 190.108.64.236

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: A69A83B7

    inbound esp sas:
      spi: 0x6798DF9F (1738071967)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 193986560, crypto-map: outside1_map
         sa timing: remaining key lifetime (kB/sec): (4373996/28012)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xA69A83B7 (2795144119)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 193986560, crypto-map: outside1_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28011)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

ASA 2

fw-gye-uniplex# sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: firewall-uio
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

fw-gye-uniplex# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 190.108.64.236

      access-list outside_1_cryptomap permit ip Red_GYE 255.255.255.0 Red_UIO 255.255.255.0
      local ident (addr/mask/prot/port): (Red_GYE/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (Red_UIO/255.255.255.0/0/0)
      current_peer: firewall-uio

      #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 81, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 190.108.64.236, remote crypto endpt.: firewall-uio

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6798DF9F

    inbound esp sas:
      spi: 0xA69A83B7 (2795144119)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 1470464, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27957)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x6798DF9F (1738071967)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 1470464, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914996/27957)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Re: VPN Site to Site entre ASA 5500

Que tal Daniela

La configuracion que nos envias parece correcta, el tunel esta arriba pero el ASA1 no este enviando trafico de regreso

fw-uniplex# sh crypto ipsec sa

interface: outside1

Crypto map tag: outside1_map, seq num: 1, local addr: 190.108.64.238

      access-list outside1_1_cryptomap permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0
      local ident (addr/mask/prot/port): (Uniplex-UIO/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (Uniplex_GYE/255.255.255.0/0/0)
      current_peer: 190.108.64.236

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 75, #pkts decrypt: 75, #pkts verify: 75

encaps: Son los paquetes encryptados que enviamos por el tunel

depacas: Son los paquetes que recibimos

Esto confirma que el tunel esta "arriba" y que estamos reciviendo trafico, ahora solo tenemos que averiguar porque no estamos respondiendo en el lado de ASA1, ¿me podrias decir que tipo de trafico estas enviando por el tunel? Imagino que tienes una PC conectada a cada ASA y envias pings de una a otra, si esto es correcto ¿podrias verificar el default gateway de la PC que esta detrás del ASA1 por favor? Si estas haciendo un ping a la ip de la interface inside del ASA1 recuerda que debes habilitar el comando "management access interface inside" para permitir que el ASA responda el ping

Saludos

New Member

Re: VPN Site to Site entre ASA 5500

Hola Luis, si efectivamente las pruebas que estoy haciendo es enviando un ping constante a la otra red.

Tengo máquinas conectadas en cada lado y hago ping a la interfaz inside del firewall, cada máquina tiene su gateway asignado correctamente, ya habilité las interfaces inside con el management-access en ambos equipos pero no tengo respuesta aún.

En lo que se refiere al ASA 1, a más de la VPN existen varias configuraciones adicionales. Pero todas las reglas que se refieren a la VPN están colocadas antes de las demás reglas que regulan en tráfico.

Talvez exista algo más que deba habilitar? O qué otras pruebas puedo hacer?

Re: VPN Site to Site entre ASA 5500

Que tal Daniela

Antes de hacer alguna otra prueba, tengo una duda acerca de las rutas que tenemos del ASA1

route outside1 0.0.0.0 0.0.0.0 Router_Borde 1

route outside1 Uniplex_GYE 255.255.255.0 Router_Borde 1

No veo Router_Borde definido en ninguna parte de la configuracion, podrias cambiar la ruta para usar la direccion ip en lugar de un nombre?

Si esto no soluciona tu problema intentaremos hacer algunas capturas de trafico

Saludos

New Member

Re: VPN Site to Site entre ASA 5500

Si Luis, el Router_Borde si está registrado:

name 190.108.64.225 Router_Borde description Ip del router de borde Uniplex

Lo que sucede es que como tengo varias configuraciones en el ASA 1 simplemente puse la configuración referente a la VPN, es posible que algunos otros comandos me los haya saltado jejeje.

Como tengo mi red conectada al ASA 1 tengo salida al internet y todo, menos VPN . Que pruebas mas puedo hacer?

Re: VPN Site to Site entre ASA 5500

Ok, ¿seria posible que nos compartieras la configuración completa del ASA? solo quiero asegurarme de que no exista algo mas bloqueando el trafico.

Vamos a hacer las siguiente pruebas

1- Ping de inside interface del ASA1 hacia la inside interface del ASA2. Asegurate de que los dos ASA tengan el comando "management-access inside" y desde el ASA1 utiliza el siguiente comando:

ping inside 192.168.10.150

2- Realiza una captura en el ASA1 para validad que recibimos el trafico de la PC

access-list capin permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list capin permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0

capture capin interface inside access-list capin

Despues envia trafico desde tu computadora y para ver si la captura recibe algo utiliza el comando

show capture capin

Por favor pega los resultados aqui

Saludos y muchas gracias

New Member

Re: VPN Site to Site entre ASA 5500

Hola Luis gracias por tu respuesta, estas son las configuraciones del ASA1:

: Saved
:
ASA Version 8.2(1) 
!
hostname fw-uniplex
domain-name uniplexsystems.com
enable password 4F6k2JNJqtsRnlmV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.8 Belarc_interno description Ip interna del servidor Belarc
name 192.168.0.2 Correo_Interno description IP Interna del servidor de correo
name 192.168.0.13 FTP_Interno description Ip interna servidor ftp
name 192.168.0.20 HelpDesk_Interno description Ip interna del servidor de helpdesk
name 192.168.0.18 Spamtitan_Interno description Ip Interna del servidor Antispam
name 192.168.0.17 WEB_Interno description Ip interna del servidor Web
name 192.168.0.3 BlackBerry_interno description IP interna del servidor BlackBerry
name 157.100.153.211 Correo_Guayaquil description IP externa servidor de Correo GYE
name 172.16.1.0 vpn-pool-administradores description Pool de IPs para conexiones VPN
name 192.168.10.0 Uniplex_GYE description Red LAN local de Uniplex en Guayaquil
name 192.168.0.109 JairoC_interno description IP interna Jairo Carrillo
name 192.168.0.11 UNIAD01 description Active Directory
name 192.168.0.0 Uniplex-UIO description Red LAN Uniplex UIO
name 190.108.64.229 FTP_Externo description Ip externo del servidor ftp y Web
name 190.108.64.228 Belarc_externo description Ip externa del servidor Belarc
name 190.108.64.230 Meeting_externo description IP externa para servidor de Meeting
name 190.108.64.227 HelpDesk_Externo description Ip externa del servidor Helpdesk
name 190.108.64.226 Correo_Externo description Ip externa del servidor de correo
name 190.108.64.225 Router_Borde description Ip del router de borde Uniplex
name 192.168.0.156 FernandaC_interno
name 192.168.0.152 IsabelG_interno
name 192.168.0.157 LeonorS_interno
name 192.168.0.112 RichardP_interno
name 192.168.0.153 SherleyG_interno
name 192.168.0.155 StevenF_interno
name 192.168.0.143 AlexO_interno
name 192.168.0.108 CesarF_interno
name 192.168.0.147 CristinaC_interno
name 192.168.0.144 EnriqueP_interno
name 192.168.0.145 JorgeM_interno
name 192.168.0.135 KarinaA_interno
name 192.168.0.131 LeonardoM_interno
name 192.168.0.146 MarcoS_interno
name 192.168.0.134 Recepcion_interno
name 192.168.0.142 RocioP_interno
name 192.168.0.107 ChristianP_interno
name 192.168.0.178 BES_Express_pruebas
name 192.168.0.6 NetXplorer_interno
name 192.168.0.253 NetEnforcer_interno
name 192.168.0.171 Afaria_interno description Ip interna Servidor afaria
name 192.168.0.9 Filemaker_Interno
name 192.168.0.111 JoseH_interno description Ip interna de Jose Hernandez
name 192.168.0.186 RMoss_celularSam
name 192.168.0.198 RMoss_samsung
name 192.168.0.151 EduardoR_interno
name 190.108.65.2 DNS2_NewAccess description DNS2 New Access
name 192.168.0.115 JuanCaLL description IP interna JuanCarlos Llasig
name 192.168.0.128 RMoss_res1
name 192.168.0.136 RMoss_res2
name 192.168.0.182 RMoss_res3
name 192.168.0.197 RMoss_res4
name 190.108.64.2 DNS1_NewAccess description DNS1 New Access
name 190.108.65.3 DNS3_NewAccess description DNS3 New Access
name 192.168.0.1 GestionRed_Interno description IP consola administración
name 192.168.0.211 WebTitan_Interno description IP WebTitan
name 192.168.0.106 AlejandroA_interno
name 192.168.0.10 Filemaker2_interno
name 192.168.0.158 MonicaBas_interno
name 192.168.0.154 MonicaCald_interno
name 192.168.0.141 RobbieMoss_interno
name 192.168.0.102 DanielaSo_interno description IP interna Diego Llerena
name 192.168.0.118 JoseHLaptop_interno
name 192.168.0.110 JCLlasag_interno
name 192.168.0.105 LBravo_Wifi_Interno
name 192.168.0.104 LBravo_interno
name 192.168.0.101 DVasquez_interno description IP interna Daniel Vasquez
name 192.168.0.173 LBravo_Cel_Interno description Wifi Celular Leonardo Bravo
name 192.168.0.166 LBravo_Ipad_Interno description Ipad Leonardo Bravo
name 192.168.0.132 DGarzon_interno
name 192.168.0.19 BlackBerry2_interno description Ip interna del servidor meeting
name 192.168.0.99 S_Informatica
name 190.108.64.231 JiraExterno description IP Externa para el serivio Jira
name 192.168.0.103 JiraInterno description IP Servicio Jira
name 190.108.64.235 FreenasExterno
name 192.168.0.15 FreenasInterno
name 192.168.20.0 Red_Prueba
name 192.168.0.194 Ase_Wifi_Interno description Equipo Santiago Paez Wifi
name 192.168.0.193 Ase_interno description Equipo Santiago Paez
name 192.168.0.174 RmossWireless
name 192.168.0.114 PaulVa_interno
name 190.90.139.42 firewall-gye
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
interface Vlan11
 nameif outside1
 security-level 0
 ip address 190.108.64.238 255.255.255.240 
!
interface Ethernet0/0
 switchport access vlan 11
!
interface Ethernet0/1
 switchport access vlan 11
!
interface Ethernet0/2
 switchport access vlan 11
!
interface Ethernet0/3
 switchport access vlan 21
!
interface Ethernet0/4
 switchport access vlan 31
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 speed 100
 duplex full
!
!
time-range Horario-Oficina
 periodic daily 7:00 to 18:00
!
banner motd Sistema monitoreado. Si no usuario registrado favor salir inmediatamente
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone UTC -5
dns domain-lookup inside
dns server-group DefaultDNS
 name-server UNIAD01
 domain-name uniplexsystems.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service Domino
 description Puertos abiertos para Correo
 service-object tcp-udp eq www 
 service-object tcp eq 1533 
 service-object tcp eq 2525 
 service-object tcp eq 8082 
 service-object tcp eq https 
 service-object tcp eq lotusnotes 
 service-object tcp eq pop3 
 service-object tcp eq smtp 
 service-object udp eq 1352 
object-group service FTP
 description Puertos para el srvidor FTP/Web
 service-object tcp-udp eq www 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
 service-object udp eq ntp 
object-group service HelpDesk
 description Puertos abiertos para el servidor de Helpdesk
 service-object tcp-udp eq www 
 service-object tcp eq 8642 
 service-object tcp eq https 
 service-object tcp eq lotusnotes 
object-group service RMoss
 description Puertos abiertos para Sr. Moss
 service-object tcp eq pop3 
 service-object tcp eq smtp 
object-group service Uniplex_Interno
 description Puertos abiertos para la red interna
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
 service-object tcp eq https 
 service-object tcp-udp eq 5900 
 service-object tcp eq 138 
 service-object tcp eq 445 
 service-object tcp-udp eq 10000 
 service-object tcp eq www 
 service-object tcp eq 4043 
 service-object tcp-udp eq 4443 
 service-object tcp-udp eq 1533 
 service-object tcp-udp eq 8080 
 service-object tcp-udp eq 8444 
 service-object udp eq snmp 
 service-object udp eq snmptrap 
 service-object udp eq syslog 
object-group service Uniplex_Networking
 description Puertos abiertos para conexiones remotas
 service-object tcp eq ssh 
 service-object tcp eq telnet 
 service-object tcp-udp eq domain 
 service-object tcp-udp eq 5901 
object-group service VPN
 description Puertos para VPN
 service-object gre 
 service-object esp 
 service-object ah 
 service-object tcp eq pptp 
 service-object udp eq 1701 
 service-object udp eq 4500 
 service-object udp eq isakmp 
 service-object tcp eq 10000 
 service-object tcp-udp eq 1194 
object-group network Ips_RMoss
 description Direcciones Ips del Sr. Moss
 network-object host RMoss_res1
 network-object host RMoss_res2
 network-object host RMoss_res4
 network-object host RMoss_res3
 network-object host RMoss_celularSam
 network-object host RMoss_samsung
 network-object host RmossWireless
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group network IPs_Networking
 description IPs Networking
 network-object host JiraInterno
 network-object host Spamtitan_Interno
 network-object host Meeting_externo
 network-object host BlackBerry_interno
 network-object host DanielaSo_interno
 network-object host BES_Express_pruebas
 network-object host NetXplorer_interno
 network-object host NetEnforcer_interno
 network-object host DVasquez_interno
 network-object host PaulVa_interno
 network-object host LBravo_interno
 network-object host LBravo_Wifi_Interno
 network-object host LBravo_Ipad_Interno
 network-object host LBravo_Cel_Interno
object-group protocol Ipsec
 description Protocolos para VPN
 protocol-object pim
 protocol-object pcp
 protocol-object snp
 protocol-object igmp
 protocol-object ipinip
 protocol-object gre
 protocol-object esp
 protocol-object ah
 protocol-object eigrp
 protocol-object ospf
 protocol-object igrp
 protocol-object nos
object-group service Antispam
 description Puertos abiertos para Antispam
 service-object tcp-udp eq 24441 
 service-object tcp eq 2703 
 service-object tcp eq 2707 
 service-object tcp eq ftp 
 service-object tcp eq ftp-data 
 service-object tcp eq smtp 
object-group network DM_INLINE_NETWORK_2
 network-object host DNS2_NewAccess
 network-object host DNS1_NewAccess
 network-object host DNS3_NewAccess
object-group service DM_INLINE_SERVICE_5
 group-object FTP
 service-object udp eq syslog 
 service-object tcp eq www 
 service-object tcp eq https 
object-group network IPs_Lotus
 network-object host RichardP_interno
 network-object host JoseH_interno
 network-object host JuanCaLL
 network-object host JoseHLaptop_interno
object-group network IPs_Sybase
 network-object host AlejandroA_interno
 network-object host CesarF_interno
 network-object host ChristianP_interno
object-group network DM_INLINE_NETWORK_7
 group-object IPs_Networking
 group-object IPs_Lotus
 group-object IPs_Sybase
 network-object host 192.168.0.202
 network-object host 192.168.0.179
 network-object host LBravo_interno
 network-object host MonicaBas_interno
 network-object host 192.168.0.181
 network-object host RMoss_celularSam
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 group-object Ipsec
object-group network IPs_Ventas
 network-object host EduardoR_interno
 network-object host IsabelG_interno
 network-object host SherleyG_interno
 network-object host MonicaCald_interno
 network-object host StevenF_interno
 network-object host FernandaC_interno
 network-object host LeonorS_interno
 network-object host MonicaBas_interno
object-group network IPs_Administrativo
 network-object host LeonardoM_interno
 network-object host DGarzon_interno
 network-object host Recepcion_interno
 network-object host KarinaA_interno
 network-object host RobbieMoss_interno
 network-object host RocioP_interno
 network-object host AlexO_interno
 network-object host EnriqueP_interno
 network-object host JorgeM_interno
 network-object host MarcoS_interno
 network-object host CristinaC_interno
object-group service DM_INLINE_TCP_1 tcp
 port-object eq domain
 port-object eq smtp
object-group network DM_INLINE_NETWORK_3
 group-object Ips_RMoss
 network-object host RMoss_res2
 network-object host RMoss_res4
 network-object host RMoss_res3
 network-object host S_Informatica
 network-object host RMoss_samsung
 network-object host RmossWireless
 network-object host Ase_interno
 network-object host Ase_Wifi_Interno
 network-object host AlejandroA_interno
 network-object host 192.168.0.120
 network-object host 192.168.0.176
 network-object host 192.168.0.208
 network-object host 192.168.0.207
 network-object host 192.168.0.181
 network-object host RMoss_celularSam
 network-object host 192.168.0.192
 network-object host 192.168.0.210
 network-object host 192.168.0.214
 network-object host DanielaSo_interno
object-group service DM_INLINE_SERVICE_6
 service-object tcp-udp eq domain 
 service-object udp eq ntp 
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_SERVICE_1
 service-object ip 
 service-object tcp eq www 
object-group network DM_INLINE_NETWORK_1
 network-object host BlackBerry2_interno
 network-object host BlackBerry_interno
object-group service DM_INLINE_SERVICE_2
 service-object tcp-udp 
 service-object tcp eq www 
object-group service DM_INLINE_SERVICE_3
 service-object tcp-udp 
 service-object tcp eq www 
object-group network net-local
 network-object Uniplex-UIO 255.255.255.0
object-group network net-remote
 network-object Uniplex_GYE 255.255.255.0
object-group service DM_INLINE_SERVICE_4
 service-object ip 
 group-object VPN
access-list inside_access_in remark Permisos para conexion VPN Site-to-Site
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_4 Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0 
access-list inside_access_in remark Permisos Sr Moss
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_3 any 
access-list inside_access_in remark Permisos para puertos del servidor de correo
access-list inside_access_in extended permit object-group Domino host Correo_Interno any 
access-list inside_access_in remark Permisos para consultar DNS externas del servidor UNIAD01 a servidores DNS NewAccess
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_6 host UNIAD01 object-group DM_INLINE_NETWORK_2 
access-list inside_access_in remark Bloqueo de SMTP/DNS para evitar SPAM y Suplantacion
access-list inside_access_in extended deny tcp any any object-group DM_INLINE_TCP_1 
access-list inside_access_in remark Permisos para puertos utilizados para conexiones remotas
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_7 any 
access-list inside_access_in remark Permisos para consultar DNS externas del servidor UNIAD01 a servidores DNS NewAccess
access-list inside_access_in remark Permisos para puertos del servidor BlackBerry
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any 
access-list inside_access_in remark Permisos para puertos del servidor Helpdesk
access-list inside_access_in extended permit object-group HelpDesk host HelpDesk_Interno any 
access-list inside_access_in remark Permisos para puertos del servidor FTP
access-list inside_access_in extended permit object-group FTP host FTP_Interno any 
access-list inside_access_in remark Permisos para puertos del servidor WEB
access-list inside_access_in extended permit tcp host WEB_Interno any object-group DM_INLINE_TCP_2 
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_3 host JiraInterno any 
access-list inside_access_in extended permit tcp host FreenasInterno any eq ssh 
access-list inside_access_in remark Permisos para puertos generales de la red local Uniplex
access-list inside_access_in extended permit object-group Uniplex_Interno Uniplex-UIO 255.255.255.0 any 
access-list inside_access_in extended permit ip Uniplex-UIO 255.255.255.0 any 
access-list inside_access_in remark Permisos para ping
access-list inside_access_in extended permit icmp any any 
access-list outside1_access_in remark Permisos para respuesta icmp
access-list outside1_access_in extended permit icmp any any 
access-list outside1_access_in extended permit ip any any 
access-list outside1_access_in remark Permisos para acceso desde el internet hacia servidor correo UIO
access-list outside1_access_in extended permit object-group Domino any host Correo_Externo 
access-list outside1_access_in remark Permisos para acceso desde el internet hacia servidor HelpDesk
access-list outside1_access_in extended permit object-group HelpDesk any host HelpDesk_Externo 
access-list outside1_access_in remark Permisos para acceso desde el internet hacia servidor FTP, WEB
access-list outside1_access_in extended permit object-group DM_INLINE_SERVICE_5 any host FTP_Externo 
access-list outside1_access_in extended permit tcp any host Belarc_externo eq www 
access-list outside1_access_in extended permit object-group DM_INLINE_SERVICE_1 any host Correo_Externo 
access-list outside1_access_in extended permit tcp any host FreenasExterno eq ssh 
access-list outside1_access_in extended permit object-group DM_INLINE_SERVICE_2 any host JiraExterno 
access-list outside1_access_in remark Permisos para acceso desde el internet hacia servidor Meeting
access-list outside1_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any host Meeting_externo inactive 
access-list outside1_access_in remark Permisos para acceder desde el internet al Servidor Afaria
access-list outside1_access_in extended permit ip any host JiraExterno inactive 
access-list outside1_1_cryptomap extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0 
access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 Uniplex_GYE 255.255.255.0 
access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 vpn-pool-administradores 255.255.255.0 
access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 172.17.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip any 172.17.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host Filemaker2_interno 172.18.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host Filemaker2_interno 10.10.10.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host Filemaker2_interno 172.16.10.0 255.255.255.128 
access-list inside_nat0_outbound extended permit ip any 192.192.10.0 255.255.255.128 
access-list inside_nat0_outbound extended permit ip Uniplex-UIO 255.255.255.0 172.19.1.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host HelpDesk_Interno host 190.108.64.233 
access-list vpn-administradores_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list vpn_cobiscorp_splitTunnelAcl standard permit host Filemaker2_interno 
access-list wccp_ce extended permit ip host WebTitan_Interno any 
access-list wccp extended permit tcp object-group IPs_Administrativo any eq www 
access-list wccp extended permit tcp object-group IPs_Sybase any eq www inactive 
access-list wccp extended permit tcp host DVasquez_interno any eq www inactive 
access-list wccp extended permit tcp object-group IPs_Networking any eq www inactive 
access-list wccp extended permit tcp object-group IPs_Lotus any eq www inactive 
access-list wccp extended permit tcp object-group IPs_Ventas any eq www inactive 
access-list wccp-https extended permit tcp host DVasquez_interno any eq https inactive 
access-list univpn-mobile_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list VPN-Cobiscorp_splitTunnelAcl standard permit host Filemaker2_interno 
access-list DefaultRAGroup_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list tunnel@groupname_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list tunnel@groupname2_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list tunnelgroup_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list vpn-noaggresive_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list vpn-pruebanoagg_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list vpn_admin_splitTunnelAcl standard permit Uniplex-UIO 255.255.255.0 
access-list 100 extended permit ip any any inactive 
access-list 100 extended permit icmp any any inactive 
access-list outside1_access_in_1 extended permit ip any any 
pager lines 24
logging enable
logging timestamp
logging buffer-size 65000
logging console debugging
logging monitor debugging
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside GestionRed_Interno
mtu inside 1500
mtu outside1 1500
ip local pool vpn-mobile 172.17.1.1-172.17.1.254 mask 255.255.255.0
ip local pool vpn-pool-administradores 172.16.1.1-172.16.1.254 mask 255.255.255.0
ip local pool vpn-cobis 172.18.1.1-172.18.1.254 mask 255.255.255.0
ip local pool vpn-flmk 10.10.10.1-10.10.10.254 mask 255.255.255.0
ip local pool vpn-pool-admin 172.19.1.1-172.19.1.254 mask 255.255.255.0
ip verify reverse-path interface inside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside1) 1 interface
global (outside1) 2 Correo_Externo netmask 255.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 Correo_Interno 255.255.255.255
nat (inside) 1 Uniplex-UIO 255.255.255.0
static (inside,outside1) tcp Correo_Externo https Correo_Interno https netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo www Correo_Interno www netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo 2525 Correo_Interno smtp netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo lotusnotes Correo_Interno lotusnotes netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo 1533 Correo_Interno 1533 netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo pop3 Correo_Interno pop3 netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo 8081 RichardP_interno 8081 netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo 8082 Correo_Interno 8082 netmask 255.255.255.255 
static (inside,outside1) tcp Correo_Externo smtp Spamtitan_Interno smtp netmask 255.255.255.255 
static (inside,outside1) tcp HelpDesk_Externo www HelpDesk_Interno www netmask 255.255.255.255 
static (inside,outside1) tcp HelpDesk_Externo https HelpDesk_Interno https netmask 255.255.255.255 
static (inside,outside1) tcp HelpDesk_Externo lotusnotes HelpDesk_Interno lotusnotes netmask 255.255.255.255 
static (inside,outside1) tcp HelpDesk_Externo 8642 HelpDesk_Interno 8642 netmask 255.255.255.255 
static (inside,outside1) tcp Belarc_externo www Belarc_interno www netmask 255.255.255.255 
static (inside,outside1) tcp FTP_Externo ftp FTP_Interno ftp netmask 255.255.255.255 
static (inside,outside1) tcp FTP_Externo ftp-data FTP_Interno ftp-data netmask 255.255.255.255 
static (inside,outside1) udp FTP_Externo ntp FTP_Interno ntp netmask 255.255.255.255 
static (inside,outside1) tcp FTP_Externo 5000 GestionRed_Interno www netmask 255.255.255.255 
static (inside,outside1) udp FTP_Externo snmp GestionRed_Interno snmp netmask 255.255.255.255 
static (inside,outside1) udp FTP_Externo snmptrap GestionRed_Interno snmptrap netmask 255.255.255.255 
static (inside,outside1) udp FTP_Externo syslog GestionRed_Interno syslog netmask 255.255.255.255 
static (inside,outside1) tcp FTP_Externo www WEB_Interno www netmask 255.255.255.255 
static (inside,outside1) tcp FreenasExterno ssh FreenasInterno ssh netmask 255.255.255.255 
static (inside,outside1) tcp JiraExterno www JiraInterno www netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside1_access_in in interface outside1
route outside1 0.0.0.0 0.0.0.0 Router_Borde 1
route outside1 Uniplex_GYE 255.255.255.0 Router_Borde 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication telnet console LOCAL 
http server enable
http Uniplex-UIO 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside1
snmp-server host inside GestionRed_Interno community Uni2o11 version 2c
snmp-server location UNIPLEX QUITO
snmp-server contact SOPORTE NW
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map 1 match address outside1_1_cryptomap
crypto map outside1_map 1 set pfs group1
crypto map outside1_map 1 set peer 190.108.64.236 
crypto map outside1_map 1 set transform-set ESP-3DES-SHA
crypto map outside1_map 1 set security-association lifetime seconds 28800
crypto map outside1_map 1 set security-association lifetime kilobytes 4608000
crypto map outside1_map 1 set nat-t-disable
crypto map outside1_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside1_map interface outside1
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=fw-uniplex
 proxy-ldc-issuer
 crl configure
crypto ca server 
 shutdown
crypto ca certificate chain ASDM_TrustPoint0
 certificate 0369414d
    30820262 308201cb a0030201 02020403 69414d30 0d06092a 864886f7 0d010104 
    05003043 31133011 06035504 03130a66 772d756e 69706c65 78312c30 2a06092a 
    864886f7 0d010902 161d6677 2d756e69 706c6578 2e756e69 706c6578 73797374 
    656d732e 636f6d30 1e170d31 31303132 37313234 3535355a 170d3231 30313234 
    31323435 35355a30 43311330 11060355 0403130a 66772d75 6e69706c 6578312c 
    302a0609 2a864886 f70d0109 02161d66 772d756e 69706c65 782e756e 69706c65 
    78737973 74656d73 2e636f6d 30819f30 0d06092a 864886f7 0d010101 05000381 
    8d003081 89028181 00da14ce c5b2c8cc d490698c 61ddce23 f9dd7649 b5172b67 
    469af79c 8eabf47f ea695f12 5eb2b482 c4a8682c 7c1d0762 a9e59e6c c1ff623e 
    4e0522bb a509821c 594a8d96 bf6f3d79 7d0d4ad7 d78eab3d bd272eca 4e7411b3 
    5bb965eb b9723f2d 1c01e93b 7b4bb165 b6a3f2f0 d4af16fe 84840a17 3bcb39d7 
    dadf46b8 ddb0f60d 5b020301 0001a363 3061300f 0603551d 130101ff 04053003 
    0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355 1d230418 30168014 
    6ad7e3ac 62f442b0 c27401f1 28f4a9b4 c441bdf2 301d0603 551d0e04 1604146a 
    d7e3ac62 f442b0c2 7401f128 f4a9b4c4 41bdf230 0d06092a 864886f7 0d010104 
    05000381 8100787b 2f0c15e0 49630891 6354009b 3350b464 ae4de155 39c93863 
    29bf2528 74cb2e9d 0b0720f0 6dadc2e7 57280387 e4653750 6c9a3f92 09ea9713 
    420d1d65 bc5555b8 b2e64a47 2b92d7a0 95f4722e a061d6fe b365f070 8a262474 
    6ac4f03b 18bd03ac 3a468b13 c3e0ad4a 11d7da98 9f12ad2b 7e9311ca 7bc217a5 
    d2febc83 6679
  quit
crypto isakmp identity address 
crypto isakmp enable outside1
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 80 
crypto isakmp disconnect-notify
telnet timeout 5
ssh Uniplex-UIO 255.255.255.0 inside
ssh timeout 10
console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
wccp web-cache redirect-list wccp group-list wccp_ce
wccp 70 redirect-list wccp-https group-list wccp_ce
wccp interface inside web-cache redirect in
wccp interface inside 70 redirect in
ntp server FTP_Interno source inside
ntp server 72.18.205.157 source outside1
ntp server 155.101.3.114 source outside1
ntp server 67.202.107.55 source outside1 prefer
webvpn
 enable outside1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value uniplexsystems.com
group-policy DfltGrpPolicy attributes
group-policy vpn-admin internal
group-policy vpn-admin attributes
 banner value Sistema monitoreado. Si no es usuario registrado favor salir inmediatamente.
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec svc 
 default-domain value uniplexsystems.com
group-policy vpn-pruebanoagg internal
group-policy vpn-pruebanoagg attributes
 dns-server value 192.168.0.11
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-pruebanoagg_splitTunnelAcl
 default-domain value uniplexsystems.com
group-policy vpn-noaggresive internal
group-policy vpn-noaggresive attributes
 banner value VPN No aggresive - Conexion exitosa
 dns-server value 192.168.0.11
 vpn-tunnel-protocol l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn-noaggresive_splitTunnelAcl
 default-domain value uniplexsystems.com
group-policy vpn-administradores internal
group-policy vpn-administradores attributes
 banner value Sistema monitoreado. Si no es usuario registrado favor salir inmediatamente.
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_admin_splitTunnelAcl
 default-domain value uniplexsystems.com
group-policy VPN-Cobiscorp internal
group-policy VPN-Cobiscorp attributes
 banner value VPN Conectado exitosamente!!!
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-Cobiscorp_splitTunnelAcl
 default-domain value uniplexsystems.com
group-policy vpn_cobiscorp internal
group-policy vpn_cobiscorp attributes
 banner value conectado
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_cobiscorp_splitTunnelAcl
group-policy univpn-mobile internal
group-policy univpn-mobile attributes
 dns-server value 192.168.0.11
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value univpn-mobile_splitTunnelAcl
 default-domain value uniplexsystems.com
username aarteaga password tL2czsAB/fBzHswh encrypted privilege 10
username dvasquez password 2SgjqNHHCkTYu9Dc encrypted privilege 15
username rpallo password hZBNFbhERmDf3doy encrypted privilege 12
username cpinto password nclHaO0RAGFU76QC encrypted
username spamintuan password LfUKu6NBqDzW2lT0 encrypted privilege 10
username wcarrasco password zc/jJB7DB1/t9nDI encrypted privilege 10
username cfonseca password IEmmpRWJ4rMrEz3z encrypted privilege 5
username cfonseca attributes
 service-type remote-access
username pvaca password zi9REHU7/b6l33Q9 encrypted privilege 15
username usercobis password PrI4OIRD4KJV4QDt encrypted
username usercobis attributes
 vpn-group-policy VPN-Cobiscorp
 service-type remote-access
username dsoria password 8gMpzvKlIuaUSxjg encrypted privilege 15
username jmendez password 8HfLQPhVUGb39Yhj encrypted privilege 12
username ngalvez password apPgNT1RWFbwCHZ0 encrypted privilege 10
username jsolis password 28NlK0m0Om2yU9da encrypted privilege 6
username jcarrillo password XXsbcKwglThpf/kf encrypted
username jcarrillo attributes
 service-type remote-access
username sidesys password TqrpBUxWSkWKNSA2 encrypted
username sidesys attributes
 service-type remote-access
username lvaldez password sd9aT0YgGWJ3JJAR encrypted
username lvaldez attributes
 vpn-group-policy VPN-Cobiscorp
 service-type remote-access
username wmoss password cWoE3THlDQh82qlQ encrypted
username wmoss attributes
 vpn-group-policy VPN-Cobiscorp
 service-type remote-access
username amoss password eciQC3htS33a61AC encrypted
username amoss attributes
 service-type remote-access
username Robbie password yHe1FXQg245TJz4B encrypted privilege 7
username Robbie attributes
 service-type remote-access
username boyscouts1 password lMaZJJWKpZhwl.RI encrypted
username boyscouts1 attributes
 vpn-group-policy VPN-Cobiscorp
 service-type remote-access
username boyscouts password lMaZJJWKpZhwl.RI encrypted
username boyscouts attributes
 vpn-group-policy VPN-Cobiscorp
 service-type remote-access
username lbravo password 3FsrFJq13dnuAhw6 encrypted privilege 15
username lsilva password LrJlW1QoigbqPozv encrypted
username lsilva attributes
 service-type remote-access
username rmoss password myPChCADG2552oJn encrypted privilege 3
username rmoss attributes
 service-type remote-access
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool vpn-mobile
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 12 retry 2
tunnel-group vpn-administradores type remote-access
tunnel-group vpn-administradores general-attributes
 address-pool vpn-pool-administradores
 default-group-policy vpn-administradores
tunnel-group vpn-administradores ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group 190.108.64.236 type ipsec-l2l
tunnel-group 190.108.64.236 ipsec-attributes
 pre-shared-key *
tunnel-group univpn-mobile type remote-access
tunnel-group univpn-mobile general-attributes
 address-pool vpn-mobile
 default-group-policy univpn-mobile
tunnel-group univpn-mobile ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group VPN-Cobiscorp type remote-access
tunnel-group VPN-Cobiscorp general-attributes
 address-pool vpn-cobis
 default-group-policy VPN-Cobiscorp
tunnel-group VPN-Cobiscorp ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group vpn_cobiscorp type remote-access
tunnel-group vpn_cobiscorp general-attributes
 address-pool vpn-flmk
 default-group-policy vpn_cobiscorp
tunnel-group vpn_cobiscorp ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group vpn-noaggresive type remote-access
tunnel-group vpn-noaggresive general-attributes
 address-pool vpn-mobile
 default-group-policy vpn-noaggresive
tunnel-group vpn-noaggresive ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group vpn-noaggresive ppp-attributes
 authentication ms-chap-v2
tunnel-group vpn-pruebanoagg type remote-access
tunnel-group vpn-pruebanoagg general-attributes
 address-pool vpn-mobile
 default-group-policy vpn-pruebanoagg
tunnel-group vpn-pruebanoagg ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
tunnel-group vpn-pruebanoagg ppp-attributes
 authentication ms-chap-v2
tunnel-group vpn-admin type remote-access
tunnel-group vpn-admin general-attributes
 address-pool vpn-pool-admin
 default-group-policy vpn-admin
tunnel-group vpn-admin webvpn-attributes
 group-alias VPN-Uniplex enable
tunnel-group vpn-admin ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 12 retry 2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:14bcbcb91dfcba0caea7d838030f6710
: end
asdm image disk0:/asdm-621.bin
asdm location AlejandroA_interno 255.255.255.255 inside
asdm location JCLlasag_interno 255.255.255.255 inside
asdm location RichardP_interno 255.255.255.255 inside
asdm location MonicaCald_interno 255.255.255.255 inside
asdm location StevenF_interno 255.255.255.255 inside
asdm location FernandaC_interno 255.255.255.255 inside
asdm location LeonorS_interno 255.255.255.255 inside
asdm location MonicaBas_interno 255.255.255.255 inside
asdm location ChristianP_interno 255.255.255.255 inside
asdm location JiraExterno 255.255.255.255 inside
asdm location Filemaker_Interno 255.255.255.255 inside
asdm location RMoss_celularSam 255.255.255.255 inside
asdm location RMoss_samsung 255.255.255.255 inside
asdm location JuanCaLL 255.255.255.255 inside
asdm location LBravo_interno 255.255.255.255 inside
asdm location LBravo_Wifi_Interno 255.255.255.255 inside
asdm location LBravo_Ipad_Interno 255.255.255.255 inside
asdm location LBravo_Cel_Interno 255.255.255.255 inside
asdm location S_Informatica 255.255.255.255 inside
asdm location Red_Prueba 255.255.255.0 inside
asdm location Ase_interno 255.255.255.255 inside
asdm location Ase_Wifi_Interno 255.255.255.255 inside
asdm location RmossWireless 255.255.255.255 inside
asdm location firewall-gye 255.255.255.255 inside
no asdm history enable


A esta configuración, le agregué puertos de VPN en las reglas del FW ASA 1 para ver si así lograba conectarme pero tampoco funcionó. 


1. Ping inside en ASA1:
fw-uniplex# ping ins
fw-uniplex# ping inside 192.168.10.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.150, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)


2. Captura Trafico:

fw-uniplex(config)# access-list capin permit ip 192.168.0.0 255.255.255.0 192.$
fw-uniplex(config)#
fw-uniplex(config)# access-list capin permit ip 192.168.10.0 255.255.255.0 192$
fw-uniplex(config)#
fw-uniplex(config)# capture capin interface inside access-list capin


Le hice ping desde mi máquina que tiene la ip 193.168.0.102 hacia la interfaz inside
del fw 192.68.10.150 y tengo estos resultados:

1: 08:56:48.818896 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

   2: 08:56:48.850587 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

   3: 08:56:49.877533 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 35

   4: 08:56:49.896834 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

   5: 08:56:50.897338 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

   6: 08:56:50.928388 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

   7: 08:56:51.912642 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

   8: 08:56:51.944119 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

   9: 08:56:52.162924 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 59

  10: 08:56:52.163413 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 35

  11: 08:56:52.928373 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  12: 08:56:52.959316 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

  13: 08:56:53.959484 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  14: 08:56:53.990442 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

  15: 08:56:54.975352 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  16: 08:56:55.006362 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

  17: 08:56:56.006621 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  18: 08:56:56.037565 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

  19: 08:56:57.021727 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  20: 08:56:57.053403 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 31

  21: 08:56:58.037595 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:                                                                                          udp 34

  22: 08:56:58.068783 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  

23: 08:56:59.068706 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  24: 08:56:59.099955 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  25: 08:57:00.084849 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  26: 08:57:00.115503 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  27: 08:57:01.138771 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 35

  28: 08:57:01.162787 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  29: 08:57:02.162848 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  30: 08:57:02.193822 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  31: 08:57:03.177923 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  32: 08:57:03.209675 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  33: 08:57:03.358486 802.1Q vlan#1 P0 192.168.10.10.3653 > 192.168.0.1.5580: S 3526037411:3526037411(0) win 65535

  34: 08:57:03.358807 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3653: R 0:0(0) ack 3526037412 win 0

  35: 08:57:04.209339 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  36: 08:57:04.240847 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  37: 08:57:05.224674 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  38: 08:57:05.256166 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  39: 08:57:06.240878 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  40: 08:57:06.271958 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  41: 08:57:06.348889 802.1Q vlan#1 P0 192.168.10.10.3653 > 192.168.0.1.5580: S 4026883085:4026883085(0) win 65535

  42: 08:57:06.349179 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3653: R 0:0(0) ack 4026883086 win 0

  43: 08:57:07.147911 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

  44: 08:57:07.272248 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  45: 08:57:07.302871 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  46: 08:57:08.287231 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  47: 08:57:08.319044 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  48: 08:57:09.302871 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  49: 08:57:09.334424 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  50: 08:57:10.334287 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  51: 08:57:10.365368 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  52: 08:57:11.350079 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  53: 08:57:11.381175 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  54: 08:57:11.925901 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

  55: 08:57:12.364147 802.1Q vlan#1 P0 192.168.10.10.3653 > 192.168.0.1.5580: S 3768494205:3768494205(0) win 65535

  56: 08:57:12.364452 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3653: R 0:0(0) ack 3768494206 win 0

  57: 08:57:12.401849 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 35

  58: 08:57:12.428337 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  59: 08:57:13.428612 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  60: 08:57:13.459128 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  61: 08:57:14.443962 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  62: 08:57:14.475134 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  63: 08:57:15.475225 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  64: 08:57:15.506489 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  65: 08:57:16.490712 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  66: 08:57:16.521716 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  67: 08:57:16.925367 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

  68: 08:57:17.506657 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  69: 08:57:17.537524 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  70: 08:57:18.537569 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  71: 08:57:18.568650 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  72: 08:57:19.552690 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  

73: 08:57:19.584640 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  74: 08:57:20.568787 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  75: 08:57:20.599853 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  76: 08:57:21.599730 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  77: 08:57:21.631162 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  78: 08:57:21.924772 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

  79: 08:57:22.615797 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  80: 08:57:22.646679 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  81: 08:57:23.667949 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 35

  82: 08:57:23.693643 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  83: 08:57:24.693567 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  84: 08:57:24.724938 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  85: 08:57:25.708901 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  86: 08:57:25.740684 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  87: 08:57:26.741096 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  88: 08:57:26.771902 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  89: 08:57:26.924650 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

  90: 08:57:27.755789 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  91: 08:57:27.787282 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  92: 08:57:28.771612 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  93: 08:57:28.802692 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  94: 08:57:29.805103 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  95: 08:57:29.834994 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  96: 08:57:30.818408 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  97: 08:57:30.850160 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

  98: 08:57:31.834063 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

  99: 08:57:31.896682 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 32

100: 08:57:31.924833 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

101: 08:57:32.865342 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

102: 08:57:32.896544 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

103: 08:57:33.881134 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

104: 08:57:33.913252 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

105: 08:57:34.439293 802.1Q vlan#1 P0 192.168.10.10.3654 > 192.168.0.1.5580: S 3078575731:3078575731(0) win 65535

106: 08:57:34.439582 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3654: R 0:0(0) ack 3078575732 win 0

107: 08:57:34.939465 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 35

108: 08:57:34.959560 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

109: 08:57:35.959697 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

110: 08:57:35.991235 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

111: 08:57:36.925077 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

112: 08:57:36.974558 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

113: 08:57:37.006271 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

114: 08:57:37.301757 802.1Q vlan#1 P0 192.168.10.10.3654 > 192.168.0.1.5580: S 3256841458:3256841458(0) win 65535

115: 08:57:37.302047 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3654: R 0:0(0) ack 3256841459 win 0

116: 08:57:38.006118 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

117: 08:57:38.038022 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

118: 08:57:39.021468 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

119: 08:57:39.053097 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

120: 08:57:40.037199 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

121: 08:57:40.068905 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

122: 08:57:41.068432 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

123: 08:57:41.100611 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

124: 08:57:41.923581 802.1Q vlan#1 P0 192.168.0.102 > 192.168.10.150: icmp: echo request

125: 08:57:42.084346 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

126: 08:57:42.115747 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

127: 08:57:43.100000 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

128: 08:57:43.131325 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31

129: 08:57:43.317000 802.1Q vlan#1 P0 192.168.10.10.3654 > 192.168.0.1.5580: S 2487284836:2487284836(0) win 65535

130: 08:57:43.317320 802.1Q vlan#1 P0 192.168.0.1.5580 > 192.168.10.10.3654: R 0:0(0) ack 2487284837 win 0

131: 08:57:44.131737 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 34

132: 08:57:44.162451 802.1Q vlan#1 P0 192.168.10.10.3634 > 192.168.0.102.53964:  udp 31


La ip 192.168.10.10 es de la máqina que se encuentra conectado al ASA2

New Member

Re: VPN Site to Site entre ASA 5500

Tal vez sabe de alguna respuesta acerca de la configuración?

1745
Visitas
0
ÚTIL
9
Respuestas