Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Site to Site VPN between ASA 5505 and Cisco 800 router

Evening all,

Hoping that someboy can see the error of my ways.  It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300

We have a cisco 800 in a remote site which we wanted to use for a site to site vpn.  Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected.  Getting traffic through it is another matter.  Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192.......  Both the ASA and 800 report the tunnel is up.  If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back.  I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA.  Here is the config from the 800:

Building configuration...

Current configuration : 6488 bytes

!

version 12.4

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname hhp-sty-backup

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization auth-proxy default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1347488939

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1347488939

revocation-check none

rsakeypair TP-self-signed-1347488939

!

!

crypto pki certificate chain TP-self-signed-1347488939

certificate self-signed 02

  30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336

  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734

  38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7

  0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513

  D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046

  4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA

  8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

  551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61

  696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A

  0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F

  5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7

  789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432

  66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6

  C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF

  447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E

            quit

dot11 syslog

ip source-route

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool inside

!

ip dhcp pool lan_network

   network 172.20.224.0 255.255.240.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 172.20.224.1

   lease 7

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

!

!

password encryption aes

!

!

username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1

username admin privilege 15 password 0 434Zaty

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key password address 217.36.32.222

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to217.36.32.222

set peer 217.36.32.222

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 172.20.224.1 255.255.240.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname B6*******.btclick.com

ppp chap password 0 H*******

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 172.4.0.0 0.240.255.255

access-list 10 permit 195.12.1.35

access-list 10 permit 172.4.0.0 0.240.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny   ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255

access-list 101 permit ip 172.4.0.0 0.240.255.255 any

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 

PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL

NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

password 434Zaty

transport input telnet ssh

!

scheduler max-task-time 5000

end

Any help will be most gratefully recieved.

Everyone's tags (4)
9 REPLIES
Hall of Fame Super Silver

Site to Site VPN between ASA 5505 and Cisco 800 router

This config looks pretty reasonable. Perhaps you could post the output of show crypto ipsec sa? This might shed some light on the problem.

It would also be helpful to see what is configured on the ASA. Without having any detail to work from my first guess would be that there is a mismatch on the ASA about the access list for interesting traffic or there is a mismatch about what traffic to translate addressing and what traffic to pass through.

HTH

Rick

Site to Site VPN between ASA 5505 and Cisco 800 router

Rick,

Thanks for replying.  Here is the output from the 800 Show Crypto command:

interface: Dialer0

    Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)

   current_peer 217.36.32.222 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222

     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2

    Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)

   current_peer 217.36.32.222 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222

     path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

and this is the running config frm our ASA at HQ:

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(1)

!

hostname secure-access

domain-name hhp.com

enable password UWWykvGjAPmxufUo encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.168.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group BT

ip address 217.36.32.222 255.255.255.255 pppoe

!

interface Vlan12

nameif DMZ

security-level 50

ip address 192.168.169.1 255.255.255.0

!

interface Vlan22

nameif Wireless_HHP

security-level 100

ip address 172.16.36.1 255.255.254.0

!

interface Vlan32

nameif CNES

security-level 100

ip address 187.187.168.1 255.255.0.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 12

!

interface Ethernet0/3

switchport access vlan 22

!

interface Ethernet0/4

switchport access vlan 32

!

interface Ethernet0/5

switchport access vlan 12

!

interface Ethernet0/6

switchport access vlan 12

!

interface Ethernet0/7

!

ftp mode passive

dns domain-lookup inside

dns domain-lookup outside

dns domain-lookup DMZ

dns domain-lookup Wireless_HHP

dns domain-lookup CNES

dns server-group DefaultDNS

name-server 192.168.168.2

domain-name hhp.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object-group network NET-cnes_HHP-Sty

network-object 172.20.224.0 255.255.240.0

object-group network NET-cnes_HHP-Balivanich

network-object 172.20.192.0 255.255.240.0

object-group network Oak-DC1

network-object 192.168.168.2 255.255.255.255

object-group network Maple-DC2

network-object 192.168.168.3 255.255.255.255

object-group network HHP_Domain_Controllers

group-object Oak-DC1

group-object Maple-DC2

object-group network PC-Support

network-object 187.187.60.1 255.255.255.255

network-object 187.187.60.2 255.255.255.254

network-object 187.187.60.4 255.255.255.254

network-object 187.187.60.6 255.255.255.255

object-group network ELM-ActiveH

network-object 192.168.168.6 255.255.255.255

object-group network Pine-GP

network-object 192.168.168.12 255.255.255.255

object-group network HHP_Application_Servers

group-object ELM-ActiveH

group-object Pine-GP

object-group network Fern-TS1

network-object 192.168.168.4 255.255.255.255

object-group network Fir-TS2

network-object 192.168.168.5 255.255.255.255

object-group network HHP_Terminal_Servers

group-object Fern-TS1

group-object Fir-TS2

object-group service Global_Catalog_LDAP

description (Generated by Cisco SM from Object "Global Catalog LDAP")

service-object tcp eq 3268

object-group service Global_Catalog_LDAP_SSL

description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")

service-object tcp eq 3269

object-group service UDP-389

description UDP port for LDAP

service-object udp eq 389

object-group service TCP-88

description TCP Port 88

service-object tcp eq 88

object-group service TCP-445

description SMB

service-object tcp eq 445

object-group network John_-_Laptop

description John's Laptop

network-object 187.187.10.65 255.255.255.255

object-group network Graham_-_PC

description Graham Morrison's PC

network-object 187.187.10.90 255.255.255.255

object-group network john_test

network-object 187.187.40.7 255.255.255.255

object-group network Iain_PC

description Iain Macaulay IT

network-object 187.187.10.19 255.255.255.255

object-group network John_-_PC

description John MacPhail's PC

network-object 187.187.10.7 255.255.255.255

object-group network it-alahen-lap

network-object 187.187.10.230 255.255.255.255

object-group network Catriona_-_Laptop

description Catriona's Laptop

network-object 187.187.10.60 255.255.255.255

object-group network Graham_-_Laptop

network-object 187.186.10.120 255.255.255.255

object-group network it-innive-xp

description Innes MacIver's PC

network-object 187.187.10.14 255.255.255.255

object-group network it-alahen-xp

description Desktop

network-object 187.187.10.229 255.255.255.255

object-group network Cat_-_PC

description Catriona Macmillan's PC

network-object 187.187.10.4 255.255.255.255

object-group network it-davdon-xp

description Desktop

network-object 187.187.160.7 255.255.255.255

object-group network cat-laptop

description Catriona's Laptop addresses

network-object 187.187.77.81 255.255.255.255

network-object 187.187.77.82 255.255.255.255

object-group network Catriona_old_pc

network-object 187.187.10.44 255.255.255.255

object-group network cat-tablet

description Catriona's Tablet ip address's

network-object 187.187.77.78 255.255.255.254

object-group network DSO-SQLServer

description Task Database Server

network-object 187.187.1.33 255.255.255.255

object-group network it-finfernew-xp

description Findlay Ferguson PC

network-object 187.187.10.153 255.255.255.255

object-group network PC_Support

group-object John_-_Laptop

group-object Graham_-_PC

group-object john_test

group-object Iain_PC

group-object John_-_PC

group-object it-alahen-lap

group-object Catriona_-_Laptop

group-object Graham_-_Laptop

group-object it-alahen-xp

group-object Cat_-_PC

group-object it-davdon-xp

group-object cat-laptop

group-object Catriona_old_pc

group-object cat-tablet

group-object it-innive-xp

network-object 187.187.1.128 255.255.255.255

network-object 187.187.10.76 255.255.255.255

group-object DSO-SQLServer

network-object 187.187.15.234 255.255.255.255

network-object 187.187.4.60 255.255.255.255

network-object 187.187.10.134 255.255.255.255

network-object 172.18.194.22 255.255.255.255

group-object it-finfernew-xp

object-group network Entire_CNE

description Entire CNE range

network-object 187.0.0.0 255.0.0.0

object-group network NET-cnes_HHP-Sty-Staff

network-object 172.20.225.0 255.255.255.0

object-group network NET-cnes_HHP-Balivanich-staff

network-object 172.20.193.0 255.255.255.0

object-group network Alder-Intranet

network-object 192.168.168.13 255.255.255.255

object-group network Aspen-ISA

network-object 192.168.168.10 255.255.255.255

object-group service tcp-8080

description TCP Port 8080

service-object tcp eq 8080

object-group network Beech-External

network-object 217.36.32.210 255.255.255.255

object-group network it-csm

description cisco security manager

network-object 187.187.1.72 255.255.255.255

object-group network Juniper-External

description Internet Server

network-object 217.36.32.211 255.255.255.255

object-group network HHP_Server_Network

network-object 192.168.168.0 255.255.255.0

object-group network Messagelabs_Incoming_HHP

network-object 67.219.240.0 255.255.240.0

network-object 95.131.104.0 255.255.248.0

network-object 193.109.254.0 255.255.254.0

network-object 195.245.230.0 255.255.254.0

network-object 216.82.240.0 255.255.240.0

network-object 85.158.136.0 255.255.248.0

network-object 117.120.16.0 255.255.248.0

network-object 194.106.220.0 255.255.254.0

object-group network Angus-Maclean-PC

network-object 187.187.10.250 255.255.255.255

object-group service RDP

service-object tcp eq 3389

object-group network it-dbserver

description Database Server (Live)

network-object 187.187.1.65 255.255.255.255

object-group network it-sql-test

description Test SQL / database server

network-object 187.187.1.81 255.255.255.255

object-group service DNS-Resolving

description Domain Name Server

service-object tcp eq domain

service-object udp eq domain

object-group network Beech-Exchange

network-object 192.168.168.91 255.255.255.255

object-group network Messagelabs_-_Incoming

description List of MessageLab addresses that SMTP connections are accepted from

network-object 212.125.75.0 255.255.255.224

network-object 216.82.240.0 255.255.240.0

network-object 195.216.16.211 255.255.255.255

network-object 194.205.110.128 255.255.255.224

network-object 194.106.220.0 255.255.254.0

network-object 193.109.254.0 255.255.254.0

network-object 62.231.131.0 255.255.255.0

network-object 62.173.108.208 255.255.255.240

network-object 62.173.108.16 255.255.255.240

network-object 212.125.74.44 255.255.255.255

network-object 195.245.230.0 255.255.254.0

network-object 85.158.136.0 255.255.248.0

object-group network MIS_Support

network-object 192.168.168.250 255.255.255.254

object-group network it-donadon-xp

description Donald Macdonald's PC

network-object 187.187.10.13 255.255.255.255

object-group network Angela_PC

network-object 187.187.10.155 255.255.255.255

object-group network Katie_PC

network-object 187.187.10.151 255.255.255.255

object-group network Pauline_PC

network-object 187.187.10.12 255.255.255.255

object-group network it-paye-net

network-object 187.187.1.92 255.255.255.255

object-group network MessageLabs-Towers

description Message Labs IP Address ranges

network-object 216.82.240.0 255.255.240.0

network-object 67.219.240.0 255.255.240.0

network-object 85.158.136.0 255.255.248.0

network-object 95.131.104.0 255.255.248.0

network-object 117.120.16.0 255.255.248.0

network-object 193.109.254.0 255.255.254.0

network-object 194.106.220.0 255.255.254.0

network-object 195.245.230.0 255.255.254.0

network-object 62.231.131.0 255.255.255.0

network-object 212.125.75.16 255.255.255.240

object-group network NET_cnes-castlebay-staff

network-object 172.19.17.0 255.255.255.0

object-group network NET_cnes_tarbert_staff

description NET_cnes_tarbert_staff

network-object 172.19.33.0 255.255.255.0

object-group network Juniper

network-object 192.168.169.5 255.255.255.255

object-group network HHP_DMZ_Network

network-object 192.168.169.0 255.255.255.0

object-group network Ash

network-object 192.168.168.100 255.255.255.255

object-group service UDP-445

service-object udp eq 445

object-group service tcp-udp-135-139

service-object tcp-udp range 135 139

object-group network HHP-ELM

description HHP's ELM ActiveH server

network-object 187.187.1.203 255.255.255.255

object-group network CNES-Ext-GW

description CNES External Address

network-object 194.83.245.242 255.255.255.255

object-group service IPSEC

description IPSEC

service-object 57

service-object ah

service-object esp

service-object udp eq isakmp

object-group network Alamur-PC

network-object 187.187.10.15 255.255.255.255

object-group network Iain-Nicolson-PC

network-object 187.187.10.159 255.255.255.255

object-group network HHP_Remote_Access_Pool

network-object 192.168.168.200 255.255.255.248

network-object 192.168.168.208 255.255.255.240

network-object 192.168.168.224 255.255.255.252

network-object 192.168.168.228 255.255.255.254

object-group network Holly-AV

network-object 192.168.168.9 255.255.255.255

object-group service AVG_Ports

description For AVG server to HHP PCs

service-object tcp-udp eq 6150

service-object tcp-udp eq 6051

service-object tcp-udp eq 445

service-object tcp-udp eq 138

service-object tcp-udp eq 135

service-object tcp-udp eq 6054

service-object tcp-udp eq 4158

service-object tcp-udp eq 139

service-object tcp-udp eq 137

object-group network CNES_Access

network-object 192.168.168.230 255.255.255.254

network-object 192.168.168.232 255.255.255.248

network-object 192.168.168.240 255.255.255.248

network-object 192.168.168.248 255.255.255.254

object-group network HHP-068

description BACS PC

network-object 172.20.225.6 255.255.255.255

object-group network Banyan

network-object 192.168.168.105 255.255.255.255

object-group service TCP81

description TCP Port 81

service-object tcp eq 81

object-group network Gavin_-_new_PC

network-object 187.187.10.150 255.255.255.255

object-group network Secudoors

network-object 172.20.224.4 255.255.255.255

access-list outside_access_in remark Time sync to external ntp server

access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp

access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp

access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network

access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network

access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network

access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network

access-list outside_access_in extended permit tcp any object-group Juniper-External eq www

access-list outside_access_in extended permit tcp any object-group Juniper-External eq https

access-list outside_access_in extended deny ip any any

access-list outside_access_in_1 extended permit ip any any

access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network

access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network

access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www

access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain

access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain

access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https

access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any

access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any

access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW

access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any

access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich

access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty

access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support

access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support

access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support

access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain

access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain

access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any

access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain

access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain

access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any

access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www

access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain

access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain

access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https

access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any

access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any

access-list CSM_FW_ACL_inside remark For Symantec Liveupdates

access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp

access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www

access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https

access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES

access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW

access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500

access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500

access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network

access-list CSM_FW_ACL_inside remark Time sync to external ntp server

access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp

access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp

access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www

access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https

access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper

access-list CSM_FW_ACL_inside extended deny ip any any

access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network

access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network

access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich

access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty

access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh

access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www

access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https

access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL

access-list CSM_FW_ACL_CNES remark server's access (Task)

access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments

access-list CSM_FW_ACL_CNES remark and Tenancy Changes

access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers

access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet

access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17

access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper

access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet

access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17

access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper

access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet

access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17

access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper

access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet

access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17

access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper

access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet

access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17

access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network

access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network

access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254

access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224

access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support

access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network

access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC

access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV

access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp

access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain

access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain

access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH

access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash

access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash

access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash

access-list CSM_FW_ACL_DMZ extended deny ip any any

access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0

access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0

access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1492

mtu DMZ 1500

mtu Wireless_HHP 1500

mtu CNES 1500

ip local pool CNES_Access 192.168.168.230-192.168.168.249

ip local pool MIS_Support 192.168.168.250-192.168.168.251

ip local pool OLM-VPN-Pool 192.168.168.252

ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255

nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0

static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0

static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0

static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0

static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255

static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255

static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0

static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0

access-group CSM_FW_ACL_inside in interface inside

access-group outside_access_in_1 in interface outside control-plane

access-group outside_access_in in interface outside

access-group CSM_FW_ACL_DMZ in interface DMZ

access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP

access-group CSM_FW_ACL_CNES in interface CNES

route outside 0.0.0.0 0.0.0.0 81.148.0.157 1

route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1

route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server HHP protocol ldap

aaa-server HHP (inside) host 192.168.168.2

timeout 5

ldap-base-dn dc=hhp,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com

server-type microsoft

aaa-server HHP_1 protocol ldap

aaa-server HHP_1 (inside) host 192.168.168.2

timeout 5

ldap-base-dn dc=hhp,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com

server-type microsoft

aaa-server HHP_3 protocol ldap

aaa-server HHP_3 (inside) host 192.168.168.2

timeout 5

ldap-base-dn dc=hhp,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *

ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com

server-type microsoft

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.168.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

http 194.83.245.242 255.255.255.255 outside

http 187.187.1.72 255.255.255.255 CNES

http 187.187.10.90 255.255.255.255 CNES

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 81.136.160.237

crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment terminal

fqdn none

subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB

keypair SSL_Certificate

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

fqdn none

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 0100000000012790a5c005

    30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86

    4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469

    6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261

    6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e

    697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431

    34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504

    06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504

    07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269

    6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564

    312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465

    616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101

    05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9

    3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23

    af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503

    fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb

    3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055

    6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4

    77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b

    3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98

    8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06

    03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049

    06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470

    3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f

    6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470

    3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469

    6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750

    baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363

    6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d

    13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020

    06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303

    304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06

    01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65

    742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0

    300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355

    de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2

    6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843

    ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c

    6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078

    9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594

    ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40

    c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557

    b320c4c1 0015d1b7 daad7527 930b0c90 7711704f

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate ca 0400000000011e44a5f52a

    30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86

    4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504

    0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f

    6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420

    4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030

    305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69

    64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e

    302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e

    2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105

    00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4

    ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea

    22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540

    f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5

    462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9

    93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8

    36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4

    80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529

    e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603

    551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100

    301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30

    4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601

    05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574

    2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268

    7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372

    6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706

    0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830

    16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7

    0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f

    9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487

    c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce

    d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642

    beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd

    32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff

    fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae

    e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced

    90ec3292 88d9c823 6c7421

  quit

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 187.187.1.41 255.255.255.255 inside

ssh 187.187.1.72 255.255.255.255 inside

ssh 187.187.77.81 255.255.255.255 inside

ssh 187.187.10.19 255.255.255.255 inside

ssh 187.187.10.229 255.255.255.255 inside

ssh 187.187.160.7 255.255.255.255 inside

ssh 187.187.1.41 255.255.255.255 outside

ssh 187.187.1.72 255.255.255.255 outside

ssh 187.187.77.81 255.255.255.255 outside

ssh 187.187.10.19 255.255.255.255 outside

ssh 187.187.10.229 255.255.255.255 outside

ssh 187.187.160.7 255.255.255.255 outside

ssh timeout 15

console timeout 0

vpdn group BT request dialout pppoe

vpdn group BT localname B*******.btclick.com

vpdn group BT ppp authentication chap

vpdn username B*******@hg39.btclick.com password *********

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip

webvpn

enable inside

enable outside

group-policy HHP_Remote_Access_1 internal

group-policy HHP_Remote_Access_1 attributes

wins-server value 192.168.168.2 192.168.168.2

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CNES_Support_splitTunnelAcl

group-policy HHP_Remote_Access internal

group-policy HHP_Remote_Access attributes

wins-server value 192.168.168.2 192.168.168.2

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CNES_Support_splitTunnelAcl

group-policy Omfax internal

group-policy Omfax attributes

wins-server value 192.168.168.2 192.168.168.3

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec webvpn

webvpn

  svc ask none default webvpn

group-policy MIS_1 internal

group-policy MIS_1 attributes

wins-server value 192.168.168.2 192.168.168.3

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value MIS_splitTunnelAcl

default-domain value hhp.com

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

wins-server value 192.168.168.2 192.168.168.3

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccess_splitTunnelAcl

group-policy CNES_Access internal

group-policy CNES_Access attributes

wins-server value 192.168.168.2 192.168.168.3

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value CNES_Support_splitTunnelAcl

group-policy HHP internal

group-policy HHP attributes

dhcp-network-scope none

vpn-access-hours none

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter none

vpn-tunnel-protocol IPSec webvpn

password-storage disable

ip-comp disable

re-xauth disable

group-lock none

pfs disable

ipsec-udp disable

split-tunnel-policy tunnelall

split-tunnel-network-list none

split-dns none

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem disable

backup-servers keep-client-config

client-firewall none

webvpn

  url-list value Severs

  filter none

  homepage none

  port-forward disable

  http-proxy disable

  sso-server none

  svc dtls none

  svc keep-installer none

  svc rekey time none

  svc rekey method none

  svc dpd-interval client none

  svc dpd-interval gateway none

  svc compression none

  svc modules none

  svc profiles none

  svc ask none default webvpn

  customization none

  http-comp none

  user-storage none

  storage-key none

  hidden-shares none

  smart-tunnel disable

  activex-relay disable

  file-entry disable

  file-browsing disable

  url-entry disable

  deny-message none

group-policy MIS internal

group-policy MIS attributes

wins-server value 192.168.168.2 192.168.168.3

dns-server value 192.168.168.2 192.168.168.3

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value MIS_splitTunnelAcl

username test password Kg/Rgy23do7gPGTv encrypted privilege 0

username test attributes

vpn-group-policy HHP_Remote_Access

username catneil password yOgiHCGobUNIkjcN encrypted privilege 0

username omfax password pvUaCLwilGmQVifd encrypted privilege 0

username backup password IHQbl.JAoESlM9Jv encrypted privilege 0

username misadmin password 8IZXmHa67HIJYHK1 encrypted

username misadmin attributes

service-type remote-access

username gramor password ne829U0rGFVEedhY encrypted privilege 15

username gramor attributes

vpn-group-policy HHP_Remote_Access

webvpn

  url-list value Severs

username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0

username aim_user attributes

vpn-group-policy CNES_Support

username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0

username katask attributes

vpn-group-policy CNES_Support

username janboyd password ZEUyykwzME6hII2i encrypted privilege 0

username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0

username marste password amwTL584WdiT87Tb encrypted privilege 0

username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0

username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0

username anglea attributes

vpn-group-policy CNES_Support

username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0

tunnel-group DefaultRAGroup general-attributes

authentication-server-group HHP_1

tunnel-group DefaultWEBVPNGroup general-attributes

authentication-server-group HHP_1

default-group-policy HHP

tunnel-group DefaultWEBVPNGroup webvpn-attributes

nbns-server 192.168.168.2 timeout 2 retry 2

nbns-server 192.168.168.3 timeout 2 retry 2

tunnel-group WebVPN type remote-access

tunnel-group WebVPN general-attributes

authentication-server-group HHP_3

default-group-policy HHP

username-from-certificate UID

tunnel-group CNES_Access type remote-access

tunnel-group CNES_Access general-attributes

address-pool CNES_Access

default-group-policy CNES_Access

tunnel-group CNES_Access ipsec-attributes

pre-shared-key *

tunnel-group MIS type remote-access

tunnel-group MIS general-attributes

address-pool MIS_Support

default-group-policy MIS

tunnel-group MIS ipsec-attributes

pre-shared-key *

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool HHP_Remote_Access_Pool

default-group-policy HHP_Remote_Access

tunnel-group RemoteAccess ipsec-attributes

pre-shared-key *

tunnel-group Omfax type remote-access

tunnel-group Omfax general-attributes

address-pool OLM-VPN-Pool

authentication-server-group (outside) LOCAL

default-group-policy Omfax

tunnel-group Omfax ipsec-attributes

pre-shared-key *

tunnel-group 81.136.160.237 type ipsec-l2l

tunnel-group 81.136.160.237 ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:72434d51880bf2a8cd4678e53e92bb44

: end

Hall of Fame Super Silver

Site to Site VPN between ASA 5505 and Cisco 800 router

Thanks for the additional information. I have looked through the config and believe that I see an issue. The access list used in the crypto map to identify traffic references an object group HHP_Server_Network  but I can not find that object group being defined in the configuration.

HTH

Rick

Site to Site VPN between ASA 5505 and Cisco 800 router

Rick,

Do you mean its not defined on the asa?   We use that abject in some of our other access lists on the asa.  Its

object-group network HHP_Server_Network

network-object 192.168.168.0 255.255.255.0

in the config or am i on the wrong track?

Hall of Fame Super Silver

Site to Site VPN between ASA 5505 and Cisco 800 router

It appears that I am the one who is on the wrong track and I apologize for that. The other day I looked (more than once) and did not find the object group definition in the ASA config. Today I look and clearly it is there. So I will go back and look for some other issue that could cause this problem.

HTH

Rick

Hall of Fame Super Silver

Site to Site VPN between ASA 5505 and Cisco 800 router

There is a lot in the config from the ASA to try to understand. And I am wondering about this line from the access list for outside access

access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network

since that traffic should be coming through the tunnel I wonder if this access list is getting any hits (what is the output of show access-list outside_access_in ?)

and I wonder if it would help to add a line like this to the outside_access_in access list

access-list outside_access_in extended permit ip host 81.136.160.237 host 217.36.32.222

HTH

Rick

Site to Site VPN between ASA 5505 and Cisco 800 router

Rick,

I thik we are making progress.  I have cjanged that access list as above but am still not getting any hits on it.  I had a look at the remote 800 which now has this config:

hhp-sty-backup#sh run

Building configuration...

Current configuration : 6728 bytes

!

version 12.4

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname hhp-sty-backup

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 4096

enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1347488939

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1347488939

revocation-check none

rsakeypair TP-self-signed-1347488939

!

!

crypto pki certificate chain TP-self-signed-1347488939

certificate self-signed 02

  30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336

  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734

  38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7

  0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513

  D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046

  4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA

  8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

  551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61

  696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A

  0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F

  5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7

  789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432

  66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6

  C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF

  447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E

        quit

dot11 syslog

ip source-route

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool inside

!

ip dhcp pool lan_network

   network 172.20.224.0 255.255.240.0

   dns-server 8.8.8.8 8.8.4.4

   default-router 172.20.224.1

   lease 7

!

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

!

!

password encryption aes

!

!

username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1

username admin privilege 15 password 0 434Zaty

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ********** address 217.36.32.222

!

crypto isakmp client configuration group test_group_created_for_sdm_discovery

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec client ezvpn test_ezvpn_config_created_for_sdm

connect auto

mode client

xauth userid mode interactive

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to217.36.32.222

set peer 217.36.32.222

set transform-set ESP-3DES-SHA

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 172.20.224.1 255.255.240.0

ip access-group CSM_FW_ACL_Vlan1 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip access-group CSM_FW_ACL_Dialer0 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

no cdp enable

ppp authentication chap callin

ppp chap hostname B6567

ppp chap password 0 HH

crypto map SDM_CMAP_1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface Dialer0 overload

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

ip access-list extended CSM_FW_ACL_Dialer0

permit ip any any

ip access-list extended CSM_FW_ACL_Vlan1

permit ip any any

!

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 172.4.0.0 0.240.255.255

access-list 10 permit 195.12.1.35

access-list 10 permit 172.4.0.0 0.240.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE

PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username   privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL

NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

access-class 10 in

privilege level 15

password 434Zaty

transport input telnet ssh

transport output telnet ssh

!

scheduler max-task-time 5000

end

hhp-sty-backup#

I did a show access-list and sure enough i can see the hit count increase when i have a constant ping going to the 192.168.168.* network so i know its hitting the right list. 

hhp-sty-backup#show access-list

Standard IP access list 1

    10 permit 172.4.0.0, wildcard bits 0.240.255.255

Standard IP access list 10

    10 permit 195.12.1.35

    20 permit 172.4.0.0, wildcard bits 0.240.255.255 (2 matches)

Extended IP access list 100

    10 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255 (358 matches)

Extended IP access list CSM_FW_ACL_Dialer0

    10 permit ip any any (25932 matches)

Extended IP access list CSM_FW_ACL_Vlan1

    10 permit ip any any (21276 matches)

Is the route map correct? I know its not hitting the core asa and the output below references 101 and not 100 which i thought it would.

hhp-sty-backup#sh route-map

route-map SDM_RMAP_1, permit, sequence 1

  Match clauses:

    ip address (access-lists): 101

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

New Member

Re: Site to Site VPN between ASA 5505 and Cisco 800 router

yes, it looks like you are missing the 101 access list

I think it should look like this....

access-list 101 deny   ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255

access-list 101 permit ip 172.20.224.0 0.0.15.255 any

Hall of Fame Super Silver

Re: Site to Site VPN between ASA 5505 and Cisco 800 router

The original post showed the router config which clearly did have access-list 101 as you show it. And that access list certainly seems to not be in the config now. And that is a problem. I agree that the router config needs to have access list 101 restored.

In the original post the symptom was that the router was encrypting and sending traffic but was receiving no encrypted traffic. To me this suggests that the issue is more on the ASA than it is on the router. And I would expect the solution to be changes on the ASA more than on the router.

So once you have put access list 101 back into the router, can we verify the current behavior? Is the router still encrypting and sending traffic but receiving no encrypted traffic?

HTH

Rick

4420
Views
0
Helpful
9
Replies