Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5505 Site to Site VPN issue

I have been trying to configure a siste to site vpn for a few days now, but not able to get it to connect. The only difference between the two, is one has a dynamic ip. this vpn isn't a priority, so there isn't a need to have the dynamic moved to a static at this time. Here is my configs on both ASA's. any help would be greatly appreciated. I replaced the IP's with x.x.x.x

ASA 1:

Result of the command: "SHOW RUN"

: Saved

:

ASA Version 9.0(1)

!

hostname ciscoasa

enable password Yn8Esq3NcXIHL35v encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool VPNDHCP 10.50.50.1-10.50.50.100 mask 255.0.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface Ethernet0/2

!

interface Ethernet0/3

switchport trunk allowed vlan 1,3,13

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 13

switchport trunk allowed vlan 1,3

switchport mode trunk

!

interface Vlan1

nameif Internal

security-level 100

ip address 10.0.0.1 255.0.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Vlan3

no forward interface Vlan1

nameif Guest

security-level 50

ip address 192.168.1.1 255.255.255.0

!

interface Vlan23

nameif EP

security-level 100

ip address 192.168.20.254 255.255.255.0

!

boot system disk0:/asa901-k8.bin

boot system disk0:/asa844-1-k8.bin

boot system disk0:/asa843-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network GLE-A-Network

subnet 10.0.0.0 255.0.0.0

object network GLE-B-Network

subnet 192.168.2.0 255.255.255.0

object network Web-Server

host 10.0.61.230

object network obj-Guest

subnet 192.168.1.0 255.255.255.0

description Guest Wireless

object network Spiceworks

host 10.0.1.2

object network NETWORK_OBJ_10.50.50.0_25

subnet 10.50.50.0 255.255.255.128

object network Remote-Desktop-Services

host 10.0.1.2

object network Web-Server-SSL

host 10.0.23.1

object service RDP

service tcp source eq 3389 destination eq 3389

object network RemoteDesktop

host 10.0.61.240

object network obj-PerryCameras-1

host 10.0.36.1

object network obj-PerryCameras-2

host 10.0.36.1

object network obj-PerryCameras-3

host 10.0.36.1

object network DHCP-Server

host 10.0.1.1

object network GLE-B-Firewall

host X.X.X.X

object network EP-Network

subnet 192.168.26.0 255.255.255.0

object network EP-Firewall

host X.X.X.X

object network obj-BLDGa

subnet 192.168.33.0 255.255.255.0

object network FTP

host 10.0.61.230

object-group service SpiceworksPorts tcp

description https

port-object eq https

object-group service RemoteDesktopServices

service-object tcp-udp destination eq 3389

object-group service RDS tcp

description Remote Desktop Services

port-object eq 3389

port-object eq https

object-group service Phone1 tcp

port-object eq 5522

object-group service Phone udp

port-object range 10001 20000

port-object eq 5522

object-group service Phones tcp-udp

port-object range 10001 20000

port-object eq 5222

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service PerryCameras tcp-udp

port-object eq 180

port-object eq 181

port-object eq 9000

object-group service Camera1 tcp-udp

port-object eq 9000

object-group service Camera2 tcp-udp

port-object eq 881

object-group service Camera3 tcp-udp

port-object eq 1801

access-list outside_cryptomap extended permit ip object GLE-A-Network object GLE-B-Network

access-list outside_access_in extended permit tcp any4 object Web-Server eq www

access-list outside_access_in extended permit tcp any object Web-Server-SSL eq https

access-list outside_access_in extended permit tcp any object RemoteDesktop eq 3389

access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-1 object-group Camera1

access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-2 object-group Camera2

access-list outside_access_in extended permit object-group TCPUDP any object obj-PerryCameras-3 object-group Camera3

access-list outside_access_in extended permit tcp any4 object FTP eq ftp

access-list guest_in extended permit udp any4 host 208.67.222.222 eq domain

access-list guest_in extended permit udp any4 host 208.67.220.220 eq domain

access-list guest_in extended deny udp any4 any4 eq domain

access-list guest_in extended permit ip any4 any4

access-list EP_access_in extended permit object-group TCPUDP any4 any4 eq domain

access-list EP_access_in extended permit ip any4 any4

access-list outside_cryptomap_1 extended permit ip object GLE-A-Network object EP-Network

pager lines 24

logging enable

logging asdm informational

mtu Internal 1500

mtu outside 1500

mtu Guest 1500

mtu EP 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Internal,outside) source static any any destination static NETWORK_OBJ_10.50.50.0_25 NETWORK_OBJ_10.50.50.0_25 no-proxy-arp route-lookup

nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static GLE-B-Network GLE-B-Network no-proxy-arp route-lookup

nat (Internal,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup

nat (EP,outside) source static GLE-A-Network GLE-A-Network destination static EP-Network EP-Network no-proxy-arp route-lookup

!

object network obj_any

nat (Internal,outside) dynamic interface

object network Web-Server

nat (Internal,outside) static interface service tcp www www

object network obj-Guest

nat (Guest,outside) dynamic interface

object network Spiceworks

nat (Internal,outside) static interface service tcp 8080 8080

object network Web-Server-SSL

nat (Internal,outside) static interface service tcp https https

object network RemoteDesktop

nat (Internal,outside) static interface service tcp 3389 3389

object network obj-PerryCameras-1

nat (Internal,outside) static interface service tcp 9000 9000

object network obj-PerryCameras-2

nat (any,outside) static interface service tcp 881 881

object network obj-PerryCameras-3

nat (Internal,outside) static interface service tcp 1801 1801

object network FTP

nat (Internal,outside) static interface service tcp ftp ftp

access-group outside_access_in in interface outside

access-group guest_in in interface Guest

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 1:00:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server PolicyServer protocol radius

aaa-server PolicyServer (Internal) host 10.0.1.1

timeout 5

key *****

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 Internal

http authentication-certificate Internal

snmp-server host Internal 10.200.200.11 community *****

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer X.X.X.X

crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

crl configure

crypto ca trustpoint ASDM_TrustPoint1

crl configure

crypto ca trustpoint ASDM_TrustPoint2

crl configure

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable Internal

crypto ikev2 enable outside

crypto ikev1 enable Internal

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.229 Guest

dhcpd dns 208.67.222.222 208.67.220.220 interface Guest

!

dhcprelay server 10.0.1.1 Internal

dhcprelay enable Guest

dhcprelay setroute Guest

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-filter updater-client enable

dynamic-filter use-database

dynamic-filter enable

dynamic-filter enable interface Internal

dynamic-filter enable interface outside

dynamic-filter enable interface Guest

dynamic-filter drop blacklist

ntp server 10.0.1.1 source Internal prefer

webvpn

anyconnect-essentials

group-policy GroupPolicy_X.X.X.X internal

group-policy GroupPolicy_X.X.X.X attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

group-policy GroupPolicy_X.X.X.X internal

group-policy GroupPolicy_X.X.X.X attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy VPNUSER internal

group-policy VPNUSER attributes

dns-server value 10.0.1.1 192.168.2.230

vpn-tunnel-protocol ikev1

username admin password kSXIy6qd1ZTBFL9/ encrypted

username danpoynter password XEQ0M75K1B1E6VtM encrypted privilege 0

username danpoynter attributes

vpn-group-policy VPNUSER

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X general-attributes

default-group-policy GroupPolicy_X.X.X.X

tunnel-group X.X.X.X ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X general-attributes

default-group-policy GroupPolicy_X.X.X.X

tunnel-group X.X.X.X ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:b29f5ff3b9db58467b0eb509bc068c2f

: end

ASA 2:

Result of the command: "SHOW RUN"

: Saved

:

ASA Version 9.0(1)

!

hostname ciscoasa

enable password TYEBBb7SkpIC3BiW encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd 2KFQnbNIdI.2KYOU encrypted

names

ip local pool remotevpnusers 192.168.12.25-192.168.12.55 mask 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 4

!

interface Ethernet0/2

switchport access vlan 3

switchport trunk allowed vlan 3-4

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

switchport access vlan 21

!

interface Ethernet0/5

switchport access vlan 22

!

interface Ethernet0/6

switchport access vlan 4

switchport trunk allowed vlan 3-4,20-22

switchport mode trunk

!

interface Ethernet0/7

!

interface Vlan1

nameif Management

security-level 100

ip address 192.168.31.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.240

!

interface Vlan3

description EP Guest Network

no forward interface Vlan4

nameif Guest

security-level 50

ip address 192.168.27.1 255.255.255.0

!

interface Vlan4

nameif Internal

security-level 100

ip address 192.168.26.254 255.255.255.0

!

interface Vlan20

description BLDG-A Subnet

nameif BLDG-A

security-level 100

ip address 192.168.20.254 255.255.255.0

!

interface Vlan21

nameif BLDG-B

security-level 100

ip address 192.168.21.254 255.255.255.0

!

interface Vlan22

nameif BLDG-C

security-level 100

ip address 192.168.22.254 255.255.255.0

!

boot system disk0:/asa901-k8.bin

ftp mode passive

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.12.0_26

subnet 192.168.12.0 255.255.255.192

object network NETWORK_OBJ_192.168.26.0_24

subnet 192.168.26.0 255.255.255.0

object network obj-KeoweeCameras

host 192.168.26.10

description Keowee Street Cameras

object network Inside

subnet 192.168.26.0 255.255.255.0

description Inside Network Route

object network Guest

subnet 192.168.27.0 255.255.255.0

description Guest Network Route

object network Internal

subnet 192.168.26.0 255.255.255.0

object network obj-HunterCameras

host 192.168.21.20

description Hunter Cameras

object network obj-Spiceworks

host 192.168.26.8

object network Electro-Polish-Network

subnet 192.168.26.0 255.255.255.0

object network GLE-Firewall

host x.x.x.x

object network GLE-Network

subnet 10.0.0.0 255.0.0.0

object network BLDG-A

subnet 192.168.20.0 255.255.255.0

object network BLDG-B

subnet 192.168.21.0 255.255.255.0

object network BLDG-C

subnet 192.168.22.0 255.255.255.0

object network DCG-Server01

host 192.168.26.9

object network NETWORK_OBJ_192.168.21.0_24

subnet 192.168.21.0 255.255.255.0

object network VPN-POOL

subnet 192.168.12.0 255.255.255.0

object network EP-VPN-Network

subnet 192.168.26.0 255.255.255.0

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group service CameraSystem tcp-udp

port-object eq 18004

port-object eq 26635

port-object eq 76

access-list electroremote_splitTunnelAcl standard permit 192.168.26.0 255.255.255.0

access-list electroremote_splitTunnelAcl standard permit 192.168.20.0 255.255.255.0

access-list electroremote_splitTunnelAcl standard permit 192.168.21.0 255.255.255.0

access-list electroremote_splitTunnelAcl standard permit 192.168.22.0 255.255.255.0

access-list outside_access_in extended permit object-group TCPUDP any4 object obj-KeoweeCameras object-group CameraSystem

access-list outside_access_in extended permit object-group TCPUDP any4 object obj-HunterCameras object-group CameraSystem

access-list outside_access_in extended permit tcp any4 object obj-Spiceworks eq https

access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq https

access-list outside_access_in extended permit tcp any4 object DCG-Server01 eq www

access-list Guest_access_in extended permit udp any4 host 208.67.222.222 eq domain

access-list Guest_access_in extended permit udp any4 host 208.67.220.220 eq domain

access-list Guest_access_in extended deny udp any4 any4 eq domain

access-list Guest_access_in extended permit ip any4 any4

access-list inside_access_in extended permit udp any4 host 208.67.222.222 eq domain

access-list inside_access_in extended permit udp any4 host 208.67.220.220 eq domain

access-list inside_access_in extended deny udp any4 any4 eq domain

access-list inside_access_in extended permit ip any4 any4

access-list Internal_access_in extended permit udp any4 host 208.67.222.222 eq domain

access-list Internal_access_in extended permit udp any4 host 208.67.220.220 eq domain

access-list Internal_access_in extended deny udp any4 any4 eq domain

access-list Internal_access_in extended permit ip any any4

access-list ip-qos extended permit ip 192.168.27.0 255.255.255.0 any

access-list ip-qos extended permit ip any 192.168.27.0 255.255.255.0

access-list electroremote_splittunnelacl standard permit 192.168.20.0 255.255.255.0

access-list electroremote_splittunnelacl standard permit 192.168.21.0 255.255.255.0

access-list electroremote_splittunnelacl standard permit 192.168.22.0 255.255.255.0

access-list outside_cryptomap extended permit ip 192.168.26.0 255.255.255.0 object GLE-Network

pager lines 24

logging enable

logging asdm informational

mtu Management 1500

mtu outside 1500

mtu Guest 1500

mtu Internal 1500

mtu BLDG-A 1500

mtu BLDG-B 1500

mtu BLDG-C 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (BLDG-A,outside) source static BLDG-A BLDG-A destination static VPN-POOL VPN-POOL

nat (BLDG-B,outside) source static BLDG-B BLDG-B destination static VPN-POOL VPN-POOL

nat (BLDG-C,outside) source static BLDG-C BLDG-C destination static VPN-POOL VPN-POOL

nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup

nat (Internal,outside) source static Electro-Polish-Network Electro-Polish-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup

nat (Internal,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup

nat (outside,outside) source static any any destination static NETWORK_OBJ_192.168.12.0_26 NETWORK_OBJ_192.168.12.0_26 no-proxy-arp route-lookup

nat (Internal,outside) source static EP-VPN-Network EP-VPN-Network destination static GLE-Network GLE-Network no-proxy-arp route-lookup

nat (Internal,outside) source static NETWORK_OBJ_192.168.26.0_24 NETWORK_OBJ_192.168.26.0_24 destination static GLE-Network GLE-Network no-proxy-arp route-lookup

!

object network obj_any

nat (Internal,outside) dynamic interface

object network obj-KeoweeCameras

nat (Internal,outside) static x.x.x.x

object network Inside

nat (Internal,outside) dynamic interface

object network Guest

nat (Guest,outside) dynamic x.x.x.x

object network Internal

nat (Internal,outside) dynamic interface

object network obj-HunterCameras

nat (BLDG-B,outside) static x.x.x.x

object network obj-Spiceworks

nat (Internal,outside) static x.x.x.x service tcp https https

object network BLDG-A

nat (BLDG-A,outside) dynamic interface

object network BLDG-B

nat (BLDG-B,outside) dynamic interface

object network BLDG-C

nat (BLDG-C,outside) dynamic interface

object network DCG-Server01

nat (any,any) static x.x.x.x

access-group inside_access_in in interface Management

access-group outside_access_in in interface outside

access-group Guest_access_in in interface Guest

access-group Internal_access_in in interface Internal

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server IAS protocol radius

aaa-server IAS (Internal) host 192.168.26.1

timeout 5

key *****

user-identity default-domain LOCAL

aaa authentication telnet console LOCAL

http server enable

http 192.168.31.0 255.255.255.0 Management

http 192.168.26.0 255.255.255.0 Internal

http x.x.x.x 255.255.255.255 outside

http authentication-certificate Management

snmp-server host Internal 192.168.26.8 community ***** version 2c

snmp-server location Building A

snmp-server contact Dan Poynter

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map BLDG-B_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map BLDG-B_map interface BLDG-B

crypto map BLDG-A_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map BLDG-A_map interface BLDG-A

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 enable Internal

crypto ikev1 enable outside

crypto ikev1 enable Internal

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.26.0 255.255.255.0 Internal

telnet timeout 5

ssh timeout 5

console timeout 0

management-access Internal

dhcpd auto_config outside

!

dhcpd address 192.168.27.50-192.168.27.100 Guest

dhcpd dns 208.67.222.222 208.67.220.220 interface Guest

!

dhcprelay server 192.168.26.1 Internal

dhcprelay server 192.168.26.2 Internal

dhcprelay enable Guest

dhcprelay enable BLDG-A

dhcprelay enable BLDG-B

dhcprelay enable BLDG-C

dhcprelay setroute Guest

dhcprelay setroute BLDG-A

dhcprelay setroute BLDG-B

dhcprelay setroute BLDG-C

dhcprelay timeout 60

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy electroremote internal

group-policy electroremote attributes

dns-server value 192.168.26.1

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value electroremote_splitTunnelAcl

default-domain value electropolish.local

username epadmin password Iu2OqCfOGoYIZ5iC encrypted privilege 15

username epadmin attributes

service-type nas-prompt

tunnel-group electroremote type remote-access

tunnel-group electroremote general-attributes

address-pool remotevpnusers

authentication-server-group IAS

default-group-policy electroremote

tunnel-group electroremote ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

default-group-policy GroupPolicy_x.x.x.x

tunnel-group x.x.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map icmp-class

match default-inspection-traffic

class-map inspection_default

match default-inspection-traffic

class-map qos

description qos policy

match access-list ip-qos

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map icmp_policy

class icmp-class

inspect icmp

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

policy-map qos

class qos

police output 1048500 1048576

police input 256000 256000

!

service-policy global_policy global

service-policy icmp_policy interface outside

service-policy qos interface Guest

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:3f2034bf1ad61529c601c097d6f60bad

: end

203
Views
0
Helpful
0
Replies
CreatePlease login to create content