- Cisco Community
- Technology and Support
- Security
- VPN
- ASA5510 9.1 Second IPSec dos not work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA5510 9.1 Second IPSec dos not work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 12:53 PM - edited 03-12-2019 05:11 AM
CONFIG
: Saved
:
: Serial Number: JMX1249L0LR
: Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
:
ASA Version 9.1(7)12
!
hostname gw234
domain-name softcase.ru
enable password 8Ry2YjIyt7RRXU24 encrypted
asp rule-engine transactional-commit access-group
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd XgAwEH3tkdZki5xs encrypted
multicast-routing
names
!
interface Ethernet0/0
mac-address 0018.8bfa.0ecd
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.0
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa917-12-k8.bin
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.10.4
domain-name softcase.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network internal-subnet
subnet 192.168.10.0 255.255.255.0
object network mikhail_ssh_1122
host 192.168.10.121
object network srv4_troter_trouter
host 192.168.10.4
object network srv4_ssh_1125
host 192.168.10.4
object network srv4_1400_1400
host 192.168.10.4
object network srv4_1401_1401
host 192.168.10.4
object network srv4_1402_1402
host 192.168.10.4
object network srv4_1403_1403
host 192.168.10.4
object network srv4_1404_1404
host 192.168.10.4
object network srv4_1405_1405
host 192.168.10.4
object network srv4_1406_1406
host 192.168.10.4
object network srv4_1407_1407
host 192.168.10.4
object network srv4_1408_1408
host 192.168.10.4
object network srv4_1409_1409
host 192.168.10.4
object network srv4_1410_1410
host 192.168.10.4
object network srv4_1411_1411
host 192.168.10.4
object network srv4_1412_1412
host 192.168.10.4
object network srv4_1413_1413
host 192.168.10.4
object network srv4_1414_1414
host 192.168.10.4
object network srv4_1415_1415
host 192.168.10.4
object network srv4_1416_1416
host 192.168.10.4
object network srv4_1417_1417
host 192.168.10.4
object network srv4_1418_1418
host 192.168.10.4
object network srv4_1419_1419
host 192.168.10.4
object network srv4_1420_1420
host 192.168.10.4
object network srv4_1421_1421
host 192.168.10.4
object network srv4_1422_1422
host 192.168.10.4
object network srv4_1423_1423
host 192.168.10.4
object network srv4_1424_1424
host 192.168.10.4
object network srv4_1425_1425
host 192.168.10.4
object network srv4_1426_1426
host 192.168.10.4
object network srv4_1427_1427
host 192.168.10.4
object network srv4_1428_1428
host 192.168.10.4
object network srv4_1429_1429
host 192.168.10.4
object network srv4_1430_1430
host 192.168.10.4
object network srv4_1431_1431
host 192.168.10.4
object network srv4_1432_1432
host 192.168.10.4
object network srv4_1433_1433
host 192.168.10.4
object network srv4_1434_1434
host 192.168.10.4
object network srv4_1435_1435
host 192.168.10.4
object network srv4_1436_1436
host 192.168.10.4
object network srv4_1437_1437
host 192.168.10.4
object network srv4_1438_1438
host 192.168.10.4
object network srv4_1439_1439
host 192.168.10.4
object network srv4_1440_1440
host 192.168.10.4
object network srv4_1441_1441
host 192.168.10.4
object network srv4_1442_1442
host 192.168.10.4
object network srv4_1443_1443
host 192.168.10.4
object network srv4_1444_1444
host 192.168.10.4
object network srv4_1445_1445
host 192.168.10.4
object network srv4_1446_1446
host 192.168.10.4
object network srv4_1447_1447
host 192.168.10.4
object network srv4_1448_1448
host 192.168.10.4
object network srv4_1449_1449
host 192.168.10.4
object network srv4_1450_1450
host 192.168.10.4
object network vm-softcase-hub01.tcsbank.ru
host 10.219.27.10
object network vm-softcase-hub02.tcsbank.ru
host 10.219.27.11
object network vm-softcase-hub01t.tcsbank.ru
host 10.219.27.12
object network vm-softcase-hub02t.tcsbank.ru
host 10.219.27.13
object network srv4_openvpn_openvpn
host 192.168.10.4
object network srv4_8890_8890
host 192.168.10.4
object network mikhail_1400_1500
host 192.168.10.121
object network mikhail_1401_1501
host 192.168.10.121
object network tms01
host 192.168.104.37
object network int_one
subnet 192.168.10.0 255.255.255.0
object network tms02
host 10.9.8.7
object-group service openvpn_tcp tcp
port-object eq 2009
object-group service 1100-1130 tcp
port-object range 1100 1130
object-group service 1400-1450 tcp
port-object range 1400 1450
object-group service trouter tcp
port-object eq 2010
object-group network group_1400-1450
network-object object srv4_1402_1402
network-object object srv4_1403_1403
network-object object srv4_1404_1404
network-object object srv4_1405_1405
network-object object srv4_1406_1406
network-object object srv4_1407_1407
network-object object srv4_1408_1408
network-object object srv4_1409_1409
network-object object srv4_1410_1410
network-object object srv4_1411_1411
network-object object srv4_1412_1412
network-object object srv4_1413_1413
network-object object srv4_1414_1414
network-object object srv4_1415_1415
network-object object srv4_1416_1416
network-object object srv4_1417_1417
network-object object srv4_1418_1418
network-object object srv4_1419_1419
network-object object srv4_1420_1420
network-object object srv4_1421_1421
network-object object srv4_1422_1422
network-object object srv4_1423_1423
network-object object srv4_1424_1424
network-object object srv4_1425_1425
network-object object srv4_1426_1426
network-object object srv4_1427_1427
network-object object srv4_1428_1428
network-object object srv4_1429_1429
network-object object srv4_1430_1430
network-object object srv4_1431_1431
network-object object srv4_1432_1432
network-object object srv4_1433_1433
network-object object srv4_1434_1434
network-object object srv4_1435_1435
network-object object srv4_1436_1436
network-object object srv4_1437_1437
network-object object srv4_1438_1438
network-object object srv4_1439_1439
network-object object srv4_1440_1440
network-object object srv4_1441_1441
network-object object srv4_1442_1442
network-object object srv4_1443_1443
network-object object srv4_1444_1444
network-object object srv4_1445_1445
network-object object srv4_1446_1446
network-object object srv4_1447_1447
network-object object srv4_1448_1448
network-object object srv4_1449_1449
network-object object srv4_1450_1450
object-group network TCB_side
network-object host 10.217.53.82
network-object host 10.217.53.89
network-object object vm-softcase-hub01.tcsbank.ru
network-object object vm-softcase-hub01t.tcsbank.ru
network-object object vm-softcase-hub02.tcsbank.ru
network-object object vm-softcase-hub02t.tcsbank.ru
object-group service mikhail_services tcp
port-object eq 1500
port-object eq 1501
port-object eq ssh
object-group network RBA_side
network-object object tms01
network-object host 192.168.104.37
object-group network NAT_exclude
group-object RBA_side
group-object TCB_side
access-list outside_acl extended permit tcp any4 object mikhail_ssh_1122 object-group mikhail_services
access-list outside_acl extended permit tcp any4 object mikhail_1400_1500 object-group mikhail_services
access-list outside_acl extended permit tcp any4 object mikhail_1401_1501 object-group mikhail_services
access-list outside_acl extended permit tcp any4 object srv4_troter_trouter eq ssh
access-list outside_acl extended permit tcp any4 object srv4_troter_trouter object-group trouter
access-list outside_acl extended permit tcp any4 object srv4_openvpn_openvpn object-group openvpn_tcp
access-list outside_acl extended permit tcp any4 object-group group_1400-1450 object-group 1400-1450
access-list outside_acl extended permit tcp any4 object srv4_8890_8890 eq 8890
access-list TCB_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group TCB_side
access-list RBA_cryptomap extended permit ip 192.168.10.0 255.255.255.0 object-group RBA_side
pager lines 24
logging enable
logging asdm warnings
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-792.bin
no asdm history enable
arp timeout 60
no arp permit-nonconnected
nat (inside,outside) source static internal-subnet internal-subnet destination static TCB_side TCB_side no-proxy-arp route-lookup
nat (inside,outside) source static internal-subnet internal-subnet destination static RBA_side RBA_side no-proxy-arp route-lookup
!
object network internal-subnet
nat (inside,outside) dynamic interface
object network mikhail_ssh_1122
nat (inside,outside) static interface service tcp ssh 1122
object network srv4_troter_trouter
nat (inside,outside) static interface service tcp 2010 2010
object network srv4_ssh_1125
nat (inside,outside) static interface service tcp ssh 1125
object network srv4_1402_1402
nat (inside,outside) static interface service tcp 1402 1402
object network srv4_1403_1403
nat (inside,outside) static interface service tcp 1403 1403
object network srv4_1404_1404
nat (inside,outside) static interface service tcp 1404 1404
object network srv4_1405_1405
nat (inside,outside) static interface service tcp 1405 1405
object network srv4_1406_1406
nat (inside,outside) static interface service tcp 1406 1406
object network srv4_1407_1407
nat (inside,outside) static interface service tcp 1407 1407
object network srv4_1408_1408
nat (inside,outside) static interface service tcp 1408 1408
object network srv4_1409_1409
nat (inside,outside) static interface service tcp 1409 1409
object network srv4_1410_1410
nat (inside,outside) static interface service tcp 1410 1410
object network srv4_1411_1411
nat (inside,outside) static interface service tcp 1411 1411
object network srv4_1412_1412
nat (inside,outside) static interface service tcp 1412 1412
object network srv4_1413_1413
nat (inside,outside) static interface service tcp 1413 1413
object network srv4_1414_1414
nat (inside,outside) static interface service tcp 1414 1414
object network srv4_1415_1415
nat (inside,outside) static interface service tcp 1415 1415
object network srv4_1416_1416
nat (inside,outside) static interface service tcp 1416 1416
object network srv4_1417_1417
nat (inside,outside) static interface service tcp 1417 1417
object network srv4_1418_1418
nat (inside,outside) static interface service tcp 1418 1418
object network srv4_1419_1419
nat (inside,outside) static interface service tcp 1419 1419
object network srv4_1420_1420
nat (inside,outside) static interface service tcp 1420 1420
object network srv4_1421_1421
nat (inside,outside) static interface service tcp 1421 1421
object network srv4_1422_1422
nat (inside,outside) static interface service tcp 1422 1422
object network srv4_1423_1423
nat (inside,outside) static interface service tcp 1423 1423
object network srv4_1424_1424
nat (inside,outside) static interface service tcp 1424 1424
object network srv4_1425_1425
nat (inside,outside) static interface service tcp 1425 1425
object network srv4_1426_1426
nat (inside,outside) static interface service tcp 1426 1426
object network srv4_1427_1427
nat (inside,outside) static interface service tcp 1427 1427
object network srv4_1428_1428
nat (inside,outside) static interface service tcp 1428 1428
object network srv4_1429_1429
nat (inside,outside) static interface service tcp 1429 1429
object network srv4_1430_1430
nat (inside,outside) static interface service tcp 1430 1430
object network srv4_1431_1431
nat (inside,outside) static interface service tcp 1431 1431
object network srv4_1432_1432
nat (inside,outside) static interface service tcp 1432 1432
object network srv4_1433_1433
nat (inside,outside) static interface service tcp 1433 1433
object network srv4_1434_1434
nat (inside,outside) static interface service tcp 1434 1434
object network srv4_1435_1435
nat (inside,outside) static interface service tcp 1435 1435
object network srv4_1436_1436
nat (inside,outside) static interface service tcp 1436 1436
object network srv4_1437_1437
nat (inside,outside) static interface service tcp 1437 1437
object network srv4_1438_1438
nat (inside,outside) static interface service tcp 1438 1438
object network srv4_1439_1439
nat (inside,outside) static interface service tcp 1439 1439
object network srv4_1440_1440
nat (inside,outside) static interface service tcp 1440 1440
object network srv4_1441_1441
nat (inside,outside) static interface service tcp 1441 1441
object network srv4_1442_1442
nat (inside,outside) static interface service tcp 1442 1442
object network srv4_1443_1443
nat (inside,outside) static interface service tcp 1443 1443
object network srv4_1444_1444
nat (inside,outside) static interface service tcp 1444 1444
object network srv4_1445_1445
nat (inside,outside) static interface service tcp 1445 1445
object network srv4_1446_1446
nat (inside,outside) static interface service tcp 1446 1446
object network srv4_1447_1447
nat (inside,outside) static interface service tcp 1447 1447
object network srv4_1448_1448
nat (inside,outside) static interface service tcp 1448 1448
object network srv4_1449_1449
nat (inside,outside) static interface service tcp 1449 1449
object network srv4_1450_1450
nat (inside,outside) static interface service tcp 1450 1450
object network srv4_openvpn_openvpn
nat (inside,outside) static interface service tcp 2009 2009
object network srv4_8890_8890
nat (inside,outside) static interface service tcp 8890 8890
object network mikhail_1400_1500
nat (inside,outside) static interface service tcp 1500 1400
object network mikhail_1401_1501
nat (inside,outside) static interface service tcp 1501 1401
access-group outside_acl in interface outside
route outside 0.0.0.0 0.0.0.0 195.34.193.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
sysopt connection timewait
sysopt noproxyarp outside
sysopt noproxyarp inside
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto engine large-mod-accel
crypto ipsec security-association pmtu-aging 20
crypto map outside_map 5 match address RBA_cryptomap
crypto map outside_map 5 set pfs group5
crypto map outside_map 5 set peer YYY.YYY.YYY.YYY
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 5 set ikev2 pre-shared-key *****
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 10 match address TCB_cryptomap
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer CCC.CCC.CCC.CCC
crypto map outside_map 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 10 set ikev2 pre-shared-key *****
crypto map outside_map 10 set nat-t-disable
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics host number-of-rate 3
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl server-version tlsv1-only
webvpn
anyconnect-essentials
cache
disable
group-policy GroupPolicy_IKE12 internal
group-policy GroupPolicy_IKE12 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
split-tunnel-all-dns disable
username admin password RumHfIFUTgwx87Gk encrypted privilege 15
tunnel-group CCC.CCC.CCC.CCC type ipsec-l2l
tunnel-group CCC.CCC.CCC.CCC general-attributes
default-group-policy GroupPolicy_IKE12
tunnel-group CCC.CCC.CCC.CCC ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group YYY.YYY.YYY.YYY type ipsec-l2l
tunnel-group YYY.YYY.YYY.YYY general-attributes
default-group-policy GroupPolicy_IKE12
tunnel-group YYY.YYY.YYY.YYY ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect http
inspect icmp
inspect dns
inspect esmtp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
password encryption aes
hpm topN enable
Cryptochecksum:0e391c1b8ce3ef0f6c5f188fd3be0ff3
: end
- Labels:
-
Other VPN Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 12:56 PM
DROP IN ENCRYPT!!!
packet-tracer input inside tcp 192.168.10.2 1999 192.168.104.37 8080 detailed
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static RBA_side RBA_side no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.104.37/8080 to 192.168.104.37/8080
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static RBA_side RBA_side no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.2/1999 to 192.168.10.2/1999
Forward Flow based lookup yields rule:
in id=0xaedc1288, priority=6, domain=nat, deny=false
hits=1, user_data=0xaeed0c70, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.104.37, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xade62b08, priority=1, domain=nat-per-session, deny=true
hits=12504, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae163370, priority=0, domain=inspect-ip-options, deny=true
hits=5731, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaea630d0, priority=13, domain=dynamic-filter, deny=false
hits=5145, user_data=0xaea62ed0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeeeb740, priority=70, domain=encrypt, deny=false
hits=5, user_data=0x0, cs_id=0xae184fd8, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.104.37, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
packet-tracer input inside tcp 192.168.10.2 1999 192.168.104.37 8080 de$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static RBA_side RBA_side no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.104.37/8080 to 192.168.104.37/8080
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static RBA_side RBA_side no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.2/1999 to 192.168.10.2/1999
Forward Flow based lookup yields rule:
in id=0xaedc1288, priority=6, domain=nat, deny=false
hits=1, user_data=0xaeed0c70, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.104.37, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xade62b08, priority=1, domain=nat-per-session, deny=true
hits=12504, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae163370, priority=0, domain=inspect-ip-options, deny=true
hits=5731, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaea630d0, priority=13, domain=dynamic-filter, deny=false
hits=5145, user_data=0xaea62ed0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaeeeb740, priority=70, domain=encrypt, deny=false
hits=5, user_data=0x0, cs_id=0xae184fd8, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.104.37, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 12:58 PM
ENOTHER WORKED!!!
packet-tracer input inside tcp 192.168.10.2 1999 10.219.27.12 8080 deta$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static TCB_side TCB_side no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.219.27.12/8080 to 10.219.27.12/8080
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static TCB_side TCB_side no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.10.2/1999 to 192.168.10.2/1999
Forward Flow based lookup yields rule:
in id=0xaea28720, priority=6, domain=nat, deny=false
hits=10, user_data=0xae18e2b8, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.219.27.12, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xade62b08, priority=1, domain=nat-per-session, deny=true
hits=13145, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae163370, priority=0, domain=inspect-ip-options, deny=true
hits=6022, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaea630d0, priority=13, domain=dynamic-filter, deny=false
hits=5439, user_data=0xaea62ed0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaea328d0, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x7ae4, cs_id=0xaea258a0, reverse, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.219.27.12, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 8
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaea62bc8, priority=13, domain=dynamic-filter, deny=false
hits=5336, user_data=0xaea62730, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static internal-subnet internal-subnet destination static TCB_side TCB_side no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0xaf0bac18, priority=6, domain=nat-reverse, deny=false
hits=9, user_data=0xad9f8560, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.219.27.12, mask=255.255.255.255, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xaea339e8, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=2, user_data=0x8bfc, cs_id=0xaea258a0, reverse, flags=0x0, protocol=0
src ip/id=10.219.27.12, mask=255.255.255.255, port=0, tag=0
dst ip/id=192.168.10.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xade62b08, priority=1, domain=nat-per-session, deny=true
hits=13147, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xae13b320, priority=0, domain=inspect-ip-options, deny=true
hits=11330, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10904, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
gw234#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 12:58 PM
WTF?????!!!!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 01:13 PM
Well, this is expected if the tunnel was down during the first attempt. The packet tracer simulates a packet which then in turn triggers the tunnel to initiate. When you run the packet-tracer again, it then hits an established tunnel - which will the hit the VPN allow phase.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-18-2018 08:22 AM
AND WTF THIS???
PAHSE 2 OK and?????
Apr 18 18:03:09 192.168.10.1 %ASA-5-713041: IP = xxx.xxx.xxx.xxx, IKE Initiator: New Phase 1, Intf inside, IKE Peer xxx.xxx.xxx.xxx local Proxy Address 192.168.10.0, remote Proxy Address 192.168.104.37, Crypto map (outside_map) Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing ISAKMP SA payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing NAT-Traversal VID ver 02 payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing NAT-Traversal VID ver 03 payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing NAT-Traversal VID ver RFC payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing Fragmentation VID + extended capabilities payload Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 400 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IKE Receiver: Packet received on zzz.zzz.zzz.zzz:500 from xxx.xxx.xxx.xxx:500 Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: IP = xxx.xxx.xxx.xxx, processing SA payload Apr 18 18:03:09 192.168.10.1 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2 Apr 18 18:03:09 192.168.10.1 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IP = xxx.xxx.xxx.xxx, Oakley proposal is acceptable Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: IP = xxx.xxx.xxx.xxx, processing VID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715049: IP = xxx.xxx.xxx.xxx, Received Fragmentation VID Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing ke payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing nonce payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing Cisco Unity VID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing xauth V6 VID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715048: IP = xxx.xxx.xxx.xxx, Send IOS VID Apr 18 18:03:09 192.168.10.1 %ASA-7-715038: IP = xxx.xxx.xxx.xxx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001) Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: IP = xxx.xxx.xxx.xxx, constructing VID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715048: IP = xxx.xxx.xxx.xxx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IKE Receiver: Packet received on zzz.zzz.zzz.zzz:500 from xxx.xxx.xxx.xxx:500 Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 248 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: IP = xxx.xxx.xxx.xxx, processing ke payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: IP = xxx.xxx.xxx.xxx, processing ISA_KE payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: IP = xxx.xxx.xxx.xxx, processing nonce payload Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IP = xxx.xxx.xxx.xxx, Connection landed on tunnel_group xxx.xxx.xxx.xxx Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Generating keys for Initiator... Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing ID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing hash payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715076: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Computing hash for ISAKMP Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing dpd vid payload Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IKE Receiver: Packet received on zzz.zzz.zzz.zzz:500 from xxx.xxx.xxx.xxx:500 Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing ID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-714011: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, ID_IPV4_ADDR ID received#012xxx.xxx.xxx.xxx Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing hash payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715076: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Computing hash for ISAKMP Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IP = xxx.xxx.xxx.xxx, Connection landed on tunnel_group xxx.xxx.xxx.xxx Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Oakley begin quick mode Apr 18 18:03:09 192.168.10.1 %ASA-7-714002: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE Initiator starting QM: msg id = bf44553a Apr 18 18:03:09 192.168.10.1 %ASA-5-713119: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, PHASE 1 COMPLETED Apr 18 18:03:09 192.168.10.1 %ASA-7-713121: IP = xxx.xxx.xxx.xxx, Keep-alive type for this connection: None Apr 18 18:03:09 192.168.10.1 %ASA-3-713122: IP = xxx.xxx.xxx.xxx, Keep-alives configured on but peer does not support keep-alives (type = None) Apr 18 18:03:09 192.168.10.1 %ASA-7-715080: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Starting P1 rekey timer: 21600 seconds. Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 794624 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Add to IKEv1 MIB Table succeeded for SA with logical ID 794624 Apr 18 18:03:09 192.168.10.1 %ASA-7-715006: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE got SPI from key engine: SPI = 0x8ccea9d8 Apr 18 18:03:09 192.168.10.1 %ASA-7-715006: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE got SPI from key engine: SPI = 0x9607e787 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, oakley constucting quick mode Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing blank hash payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing IPSec SA payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing IPSec nonce payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing pfs ke payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715001: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing proxy ID Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Transmitting Proxy Id:#012 Local subnet: 192.168.10.0 mask 255.255.255.0 Protocol 0 Port 0#012 Remote host: 192.168.104.37 Protocol 0 Port 0 Apr 18 18:03:09 192.168.10.1 %ASA-7-714007: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE Initiator sending Initial Contact Apr 18 18:03:09 192.168.10.1 %ASA-7-715046: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, constructing qm hash payload Apr 18 18:03:09 192.168.10.1 %ASA-7-714004: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE Initiator sending 1st QM pkt: msg id = bf44553a Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=bf44553a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 416 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: IKE Receiver: Packet received on zzz.zzz.zzz.zzz:500 from xxx.xxx.xxx.xxx:500 Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=bf44553a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 348 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing hash payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing SA payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing nonce payload Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing ke payload Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing ISA_KE for PFS in phase 2 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing ID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-714011: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, ID_IPV4_ADDR_SUBNET ID received--192.168.10.0--255.255.255.0 Apr 18 18:03:09 192.168.10.1 %ASA-7-715047: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, processing ID payload Apr 18 18:03:09 192.168.10.1 %ASA-7-714011: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, ID_IPV4_ADDR ID received#012192.168.104.37 Apr 18 18:03:09 192.168.10.1 %ASA-7-715077: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Pitcher: received key delete msg, spi 0x9607e787 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, loading all IPSEC SAs Apr 18 18:03:09 192.168.10.1 %ASA-7-715001: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Generating Quick Mode Key! Apr 18 18:03:09 192.168.10.1 %ASA-7-715001: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Generating Quick Mode Key! Apr 18 18:03:09 192.168.10.1 %ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x9662F8D4) between zzz.zzz.zzz.zzz and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been created. Apr 18 18:03:09 192.168.10.1 %ASA-5-713049: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Security negotiation complete for LAN-to-LAN Group (xxx.xxx.xxx.xxx) Initiator, Inbound SPI = 0x8ccea9d8, Outbound SPI = 0x9662f8d4 Apr 18 18:03:09 192.168.10.1 %ASA-7-713906: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, oakley constructing final quick mode Apr 18 18:03:09 192.168.10.1 %ASA-7-714006: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE Initiator sending 3rd QM pkt: msg id = bf44553a Apr 18 18:03:09 192.168.10.1 %ASA-7-713236: IP = xxx.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=bf44553a) with payloads : HDR + HASH (8) + NONE (0) total length : 72 Apr 18 18:03:09 192.168.10.1 %ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0x8CCEA9D8) between zzz.zzz.zzz.zzz and xxx.xxx.xxx.xxx (user= xxx.xxx.xxx.xxx) has been created. Apr 18 18:03:09 192.168.10.1 %ASA-7-715007: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, IKE got a KEY_ADD msg for SA: SPI = 0x9662f8d4 Apr 18 18:03:09 192.168.10.1 %ASA-7-715077: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Pitcher: received KEY_UPDATE, spi 0x8ccea9d8 Apr 18 18:03:09 192.168.10.1 %ASA-7-715080: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Starting P2 rekey timer: 3060 seconds. Apr 18 18:03:09 192.168.10.1 %ASA-5-713120: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, PHASE 2 COMPLETED (msgid=bf44553a) Apr 18 18:03:09 192.168.10.1 %ASA-5-752016: IKEv1 was successful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 5. Apr 18 18:03:09 192.168.10.1 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 5. Apr 18 18:03:18 192.168.10.1 %ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = outside_map. Map Sequence Number = 5. Apr 18 18:03:18 192.168.10.1 %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0 Apr 18 18:03:18 192.168.10.1 %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 5. Apr 18 18:03:18 192.168.10.1 %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 5. Apr 18 18:03:18 192.168.10.1 %ASA-7-752002: Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 5.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: