Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5510 VPN not working after upgrade from 8.2 to 8.3

Hi,

I have recently upgraded a customer ASA5510 to version 8.3.

After upgrade web access etc is working fine however VPN is down.

The config looks very different after the upgrade plus what looks to be duplicate entries.

I suspect its an access list issue but I'm not sure.

If anyone has any ideas based on the config below it would be greatly appreciated as I'm at a loss....?!

hostname ciscoasa

domain-name default.domain.invalid

enable password NvZgxFP5WhDo0hQl encrypted

passwd FNeDAwBbhVaOtVAu encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 217.75.8.203 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone GMT/IST 0

clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Inside

dns server-group DefaultDNS

domain-name default.domain.invalid

object network obj-192.168.1.2-04

host 192.168.1.2

object network obj-192.168.1.7-04

host 192.168.1.7

object network obj-192.168.1.0-02

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0-02

subnet 192.168.2.0 255.255.255.0

object network obj-10.1.2.0-02

subnet 10.1.2.0 255.255.255.0

object network obj-192.168.1.224-02

subnet 192.168.1.224 255.255.255.240

object network obj-192.168.1.9-02

host 192.168.1.9

object network obj-192.168.1.2-05

host 192.168.1.2

object network obj-192.168.1.103-02

host 192.168.1.103

object network obj-192.168.1.7-05

host 192.168.1.7

object network NETWORK_OBJ_10.1.2.0_24

subnet 10.1.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group network obj-192.168.1.2-02

object-group network obj-192.168.1.7-02

object-group network obj-192.168.1.0-01

object-group network obj-192.168.2.0-01

object-group network obj-10.1.2.0-01

object-group network obj-192.168.1.224-01

object-group network obj-192.168.1.9-01

object-group network obj-192.168.1.2-03

object-group network obj-192.168.1.103-01

object-group network obj-192.168.1.7-03

object-group network obj-192.168.1.2

object-group network obj-192.168.1.7

object-group network obj-192.168.1.0

object-group network obj-192.168.2.0

object-group network obj-10.1.2.0

object-group network obj-192.168.1.224

object-group network obj-192.168.1.9

object-group network obj-192.168.1.2-01

object-group network obj-192.168.1.103

object-group network obj-192.168.1.7-01

object-group network obj_any

object-group network obj-0.0.0.0

object-group network obj_any-01

object-group service MonitcomUDP udp

port-object range 3924 3924

access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240

access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive

access-list Outside_access_in extended permit icmp any any

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200

access-list Outside_access_in remark Monitcom

access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900

access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www

access-list Outside_access_in extended permit udp any any eq 4500 inactive

access-list Outside_access_in extended permit udp any any eq isakmp inactive

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit icmp any any

access-list RemoteVPN_splitTunnelAcl standard permit any

access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240

pager lines 24

logging enable

logging asdm warnings

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0

ip verify reverse-path interface Outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any Inside

asdm location 192.168.1.208 255.255.255.252 Inside

asdm location 192.168.1.103 255.255.255.255 Inside

asdm location 192.168.1.6 255.255.255.255 Inside

asdm location 192.168.1.7 255.255.255.255 Inside

asdm location 192.168.1.9 255.255.255.255 Inside

no asdm history enable

arp timeout 14400

nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02 unidirectional

nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional

nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional

nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24

!

object network obj-192.168.1.2-04

nat (Outside,Inside) static 217.75.8.204

object network obj-192.168.1.7-04

nat (Outside,Inside) static 217.75.8.206

object network obj-192.168.1.0-02

nat (Inside,Outside) dynamic interface

object network obj-192.168.1.9-02

nat (Inside,Outside) static 217.75.8.201

object network obj-192.168.1.2-05

nat (Inside,Outside) static 217.75.8.204

object network obj-192.168.1.103-02

nat (Inside,Outside) static 217.75.8.205

object network obj-192.168.1.7-05

nat (Inside,Outside) static 217.75.8.206

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server DellServerAAA protocol radius

aaa-server DellServerAAA (Inside) host 192.168.1.4

key test

http server enable

http 62.17.29.2 255.255.255.255 Outside

http 82.141.224.155 255.255.255.255 Outside

http 63.218.54.8 255.255.255.252 Outside

http 213.79.44.213 255.255.255.255 Outside

http 192.168.1.0 255.255.255.0 Inside

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df Outside

crypto ipsec df-bit clear-df Inside

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer 89.127.172.29

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map 60 match address Outside_cryptomap_60

crypto map Outside_map 60 set peer 89.105.114.98

crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity key-id nattingreallymatters

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.1.0 255.255.255.0 Inside

telnet timeout 5

ssh 82.141.224.155 255.255.255.255 Outside

ssh 62.17.29.2 255.255.255.255 Outside

ssh 213.79.44.213 255.255.255.255 Outside

ssh 192.168.1.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

wins-server value 192.168.1.31

dns-server value 192.168.1.31

default-domain value freefoam.ie

username freefoam password JLYaVf7FqRM2LH0e encrypted

username cork password qbK2Hqt1H5ttJzPD encrypted

tunnel-group 193.114.70.130 type ipsec-l2l

tunnel-group 193.114.70.130 ipsec-attributes

pre-shared-key ******

tunnel-group 89.127.172.29 type ipsec-l2l

tunnel-group 89.127.172.29 ipsec-attributes

pre-shared-key ******

tunnel-group 89.105.114.98 type ipsec-l2l

tunnel-group 89.105.114.98 ipsec-attributes

pre-shared-key *****

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool VPNPool

authentication-server-group DellServerAAA

default-group-policy RemoteVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0dc16fe893bd4bba6fdf6b7eed93e553

3 REPLIES
Super Bronze

ASA5510 VPN not working after upgrade from 8.2 to 8.3

Yes, there are major changes in the configuration from ASA version 8.3 onwards, especially NAT and access-list.

I assume that your VPN is connected but you are not able to access resources.

Please make the following changes:

no nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02  destination static obj-10.1.2.0-02 obj-10.1.2.0-02 unidirectional

nat (Inside,Outside) source static obj-192.168.1.0-02 obj-192.168.1.0-02  destination static obj-10.1.2.0-02 obj-10.1.2.0-02

Then "clear xlate" to clear the existing translation.

New Member

ASA5510 VPN not working after upgrade from 8.2 to 8.3

Hi,

Many thanks for your reply.

Finally got access to implement your suggestions.

Initially none of the VPN's were up.

After making the change the two VPN's came up.

However only data via the first VPN is possible.

Accessing resources on the 10.1.2.0 network is still not possible.

Attached is the latest config, any input is greatly appreciated;

hostname ciscoasa

domain-name default.domain.invalid

enable password NvZgxFP5WhDo0hQl encrypted

passwd FNeDAwBbhVaOtVAu encrypted

names

dns-guard

!

interface Ethernet0/0

nameif Outside

security-level 0

ip address 217.75.8.203 255.255.255.248

!

interface Ethernet0/1

nameif Inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.1.1.1 255.255.255.0

management-only

!

boot system disk0:/asa832-k8.bin

ftp mode passive

clock timezone GMT/IST 0

clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Inside

dns server-group DefaultDNS

domain-name default.domain.invalid

object network obj-192.168.1.2-04

host 192.168.1.2

object network obj-192.168.1.7-04

host 192.168.1.7

object network obj-192.168.1.0-02

subnet 192.168.1.0 255.255.255.0

object network obj-192.168.2.0-02

subnet 192.168.2.0 255.255.255.0

object network obj-10.1.2.0-02

subnet 10.1.2.0 255.255.255.0

object network obj-192.168.1.224-02

subnet 192.168.1.224 255.255.255.240

object network obj-192.168.1.9-02

host 192.168.1.9

object network obj-192.168.1.2-05

host 192.168.1.2

object network obj-192.168.1.103-02

host 192.168.1.103

object network obj-192.168.1.7-05

host 192.168.1.7

object network NETWORK_OBJ_10.1.2.0_24

subnet 10.1.2.0 255.255.255.0

object network NETWORK_OBJ_192.168.1.0_24

subnet 192.168.1.0 255.255.255.0

object-group network obj-192.168.1.2-02

object-group network obj-192.168.1.7-02

object-group network obj-192.168.1.0-01

object-group network obj-192.168.2.0-01

object-group network obj-10.1.2.0-01

object-group network obj-192.168.1.224-01

object-group network obj-192.168.1.9-01

object-group network obj-192.168.1.2-03

object-group network obj-192.168.1.103-01

object-group network obj-192.168.1.7-03

object-group network obj-192.168.1.2

object-group network obj-192.168.1.7

object-group network obj-192.168.1.0

object-group network obj-192.168.2.0

object-group network obj-10.1.2.0

object-group network obj-192.168.1.224

object-group network obj-192.168.1.9

object-group network obj-192.168.1.2-01

object-group network obj-192.168.1.103

object-group network obj-192.168.1.7-01

object-group network obj_any

object-group network obj-0.0.0.0

object-group network obj_any-01

object-group service MonitcomUDP udp

port-object range 3924 3924

access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Inside_nat0_inbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Inside_nat0_outbound extended permit ip any 192.168.1.224 255.255.255.240

access-list Outside_cryptomap_60 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_cryptomap_60 extended permit icmp 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq smtp

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq pop3

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq 2000 inactive

access-list Outside_access_in extended permit icmp any any

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in extended permit tcp any host 217.75.8.204 eq 1200

access-list Outside_access_in remark Monitcom

access-list Outside_access_in extended permit tcp host 87.232.117.66 host 217.75.8.205 eq 5900

access-list Outside_access_in extended permit udp any host 217.75.8.205 eq 3924

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 220

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 230

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 240

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 250

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 260

access-list Outside_access_in remark ESS Access

access-list Outside_access_in extended permit tcp host 196.36.153.251 any eq 1433

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in extended permit tcp any host 217.75.8.206 eq www

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq https

access-list Outside_access_in extended permit tcp any host 217.75.8.201 eq www

access-list Outside_access_in extended permit udp any any eq 4500 inactive

access-list Outside_access_in extended permit udp any any eq isakmp inactive

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Outside_access_in remark Allow webmail access

access-list Outside_access_in remark Allow Hansa Live access

access-list Outside_access_in remark Monitcom

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark ESS Access

access-list Outside_access_in remark Allow TMS Web Access

access-list Inside_access_in extended permit ip any any

access-list Inside_access_in extended permit icmp any any

access-list RemoteVPN_splitTunnelAcl standard permit any

access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Outside_cryptomap_dyn_20 extended permit ip any 192.168.1.224 255.255.255.240

access-list global_access extended permit ip any any

access-list Outside_cryptomap_80_3 extended permit ip 192.168.1.0 255.255.255.0 10.1.2.0 255.255.255.0

access-list Split-tunnel standard permit 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging asdm warnings

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPNPool 192.168.1.230-192.168.1.240 mask 255.255.255.0

ip verify reverse-path interface Outside

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

icmp permit any Inside

asdm image disk0:/asdm-647.bin

asdm location 192.168.1.208 255.255.255.252 Inside

asdm location 192.168.1.103 255.255.255.255 Inside

asdm location 192.168.1.6 255.255.255.255 Inside

asdm location 192.168.1.7 255.255.255.255 Inside

asdm location 192.168.1.9 255.255.255.255 Inside

no asdm history enable

arp timeout 14400

nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02

nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02

nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional

nat (Inside,Outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_10.1.2.0_24 NETWORK_OBJ_10.1.2.0_24

!

object network obj-192.168.1.2-04

nat (Outside,Inside) static 217.75.8.204

object network obj-192.168.1.7-04

nat (Outside,Inside) static 217.75.8.206

object network obj-192.168.1.0-02

nat (Inside,Outside) dynamic interface

object network obj-192.168.1.9-02

nat (Inside,Outside) static 217.75.8.201

object network obj-192.168.1.2-05

nat (Inside,Outside) static 217.75.8.204

object network obj-192.168.1.103-02

nat (Inside,Outside) static 217.75.8.205

object network obj-192.168.1.7-05

nat (Inside,Outside) static 217.75.8.206

!

nat (Inside,Outside) after-auto source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group global_access global

route Outside 0.0.0.0 0.0.0.0 217.75.8.198 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server DellServerAAA protocol radius

aaa-server DellServerAAA (Inside) host 192.168.1.4

key test

http server enable

http 62.17.29.2 255.255.255.255 Outside

http 82.141.224.155 255.255.255.255 Outside

http 63.218.54.8 255.255.255.252 Outside

http 213.79.44.213 255.255.255.255 Outside

http 192.168.1.0 255.255.255.0 Inside

http 10.1.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection timewait

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto ipsec df-bit clear-df Outside

crypto ipsec df-bit clear-df Inside

crypto dynamic-map Outside_dyn_map 20 match address Outside_cryptomap_dyn_20

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer 89.127.172.29

crypto map Outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-DES-SHA ESP-3DES-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-MD5

crypto map Outside_map 60 match address Outside_cryptomap_60

crypto map Outside_map 60 set peer 89.105.114.98

crypto map Outside_map 60 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto isakmp identity key-id nattingreallymatters

crypto isakmp enable Outside

crypto isakmp enable Inside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.1.0 255.255.255.0 Inside

telnet timeout 5

ssh 82.141.224.155 255.255.255.255 Outside

ssh 62.17.29.2 255.255.255.255 Outside

ssh 213.79.44.213 255.255.255.255 Outside

ssh 192.168.1.0 255.255.255.0 Inside

ssh timeout 5

console timeout 0

management-access Inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable Outside

anyconnect-essentials

svc image disk0:/anyconnect-dart-win-2.5.3055-k9.pkg 1

svc image disk0:/anyconnect-macosx-powerpc-2.5.3055-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy RemoteVPN internal

group-policy RemoteVPN attributes

wins-server value 192.168.1.31

dns-server value 192.168.1.31

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Split-tunnel

default-domain value freefoam.ie

username freefoam password JLYaVf7FqRM2LH0e encrypted

username cisco password DfO7NBd5PZ1b0kZ1 encrypted privilege 15

username cork password qbK2Hqt1H5ttJzPD encrypted

tunnel-group 193.114.70.130 type ipsec-l2l

tunnel-group 193.114.70.130 ipsec-attributes

pre-shared-key ************

tunnel-group 89.127.172.29 type ipsec-l2l

tunnel-group 89.127.172.29 ipsec-attributes

pre-shared-key ************

tunnel-group 89.105.114.98 type ipsec-l2l

tunnel-group 89.105.114.98 ipsec-attributes

pre-shared-key ************

tunnel-group RemoteVPN type remote-access

tunnel-group RemoteVPN general-attributes

address-pool VPNPool

authentication-server-group DellServerAAA

default-group-policy RemoteVPN

tunnel-group RemoteVPN webvpn-attributes

group-alias Anyconnect enable

tunnel-group RemoteVPN ipsec-attributes

pre-shared-key c0nnect10nParameter$

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http

https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email

callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:fae6b7bc25fcf39daffbcdc6b91c9d8e

Super Bronze

ASA5510 VPN not working after upgrade from 8.2 to 8.3

Here we go:

no nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02

no nat (Inside,any) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02

no nat (Inside,any) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02 unidirectional

nat (Inside,Outside) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-192.168.2.0-02 obj-192.168.2.0-02

nat (Inside,Outside) source static obj-192.168.1.0-02 obj-192.168.1.0-02 destination static obj-10.1.2.0-02 obj-10.1.2.0-02

nat (Inside,Outside) source static any any destination static obj-192.168.1.224-02 obj-192.168.1.224-02

Then "clear xlate".. it should work now.

1049
Views
0
Helpful
3
Replies