Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN allows only traffic on one side to reach inside interface of remote end

I have an ASA5505 that has multiple tunnels of different sorts used for testing. I have recently set up a tunnel to a remote location that has on the other end a 1721 router. My location has a 877 ADSL router with the ASA5505 behind it. Since my IP address changes often due to poor DSL service. What I do is set up on the ASA5505 a static to dynamic (remote end). This has worked very well going to a PIX506 and another 1721 here used for testing.

This recent 1721 I set up has an issue where I can pass traffic to the 1721 only to its inside interface IP. From the 1721 I can ping the whole network behind the ASA. Here is the relevant config for the 1721:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key XXXXXX address 0.0.0.0 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set peer XXX.XXX.XXX dynamic

set transform-set IPSEC

match address 120

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface FastEthernet0

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.240

crypto map SDM_CMAP_1

ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp

ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240

ip nat inside source route-map NONAT interface Ethernet0 overload

access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 deny   ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 permit ip 10.10.10.0 0.0.0.15 any

route-map NONAT permit 10

match ip address 130

And for the ASA:

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.240

access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup

crypto map OUTSIDE_MAP 2 match address 1721_KS

crypto map OUTSIDE_MAP 2 set peer 7x.xx.xxx.xx

crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 2 set nat-t-disable

On the remote end is a device at 10.10.10.3 that I can not ping, yet when I SSH to the 1721 I can ping it, so I now it is powered on. ICMP debug on the 1721 shows echo-reply from 192.168.2.1 to 10.10.10.1, but not 10.10.10.3.

I am thinking that there must be some really minor detail I must have missed somewhere.

15 REPLIES
Cisco Employee

VPN allows only traffic on one side to reach inside interface of

what is the default gateway of 10.10.10.3? is it the router inside interface (10.10.10.1)?

Also, does the remote host happen to have a firewall enabled that might be blocking ping from different subnet?

New Member

VPN allows only traffic on one side to reach inside interface of

I should have added, the 1721 has the ethernet 0 (outside inteface) configured via DHCP. 10.10.10.1 is the IP of the inside interface which is the default gateway for that network.

Cisco Employee

VPN allows only traffic on one side to reach inside interface of

Any other IP address within the 10.10.10.0 subnet that you can try to ping except the 10.10.10.3 host?

From the 1721, if you source your ping from the outside interface and try to ping 10.10.10.3, does that work?

New Member

Re: VPN allows only traffic on one side to reach inside interfac

I can also ping 10.10.10.2 from the 1721, but not from the remote end.

I tried ping with source of the outside interface and this was not successful.

At 10.10.10.2 there is a web service that I can access externally by doing a static NAT, but not via the VPN. I can ping across all other tunnels so it is not an issue of ICMP being disabled, just this one tunnel.

edit: Closest I ever came to a problem such as this the issue was the other end device had the wrong gateway configured. I have verified just to be sure and no changes have been made so the 1721's 10.10.10.1 is the default gateway for this network.

Cisco Employee

Re: VPN allows only traffic on one side to reach inside interfac

Can you please share the full config from both end.

New Member

VPN allows only traffic on one side to reach inside interface of

The 1721:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 1721-K9

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

enable secret 5 ########

!

no aaa new-model

!

resource policy

!

clock timezone Chicago -6

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.5

!

ip dhcp pool DHCP

   network 10.10.10.0 255.255.255.240

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip domain name ########

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip ssh version 2

!

!

!

crypto pki trustpoint TP-self-signed-823528158

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-823528158

revocation-check none

rsakeypair TP-self-signed-823528158

!

!

crypto pki certificate chain TP-self-signed-823528158

certificate self-signed 01

  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 38323335 32383135 38301E17 0D313130 31303331 34353133

  395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3832 33353238

  31353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  B292D9F1 ED00569A 63DF0012 05045FFF C18EECAD 35904FD7 8A682C6C A1F60224

  8DE240EE 4CFE8ECA 0B88CA7D CABB7FDF 58D6547B 586B0E3E 48B730E8 A27CB5A2

  5505930F 2998AA04 FA939C1A DCDC3E37 5AA59AF6 03B4BD07 E730FA04 AF67D641

  F5B7A6FF CC3BEF27 0B48BCC2 A9E344A5 E04A9687 149D2479 906EB088 BA526407

  02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D

  11041C30 1A821831 3732312D 4B392E73 626E2D73 65727669 6365732E 636F6D30

  1F060355 1D230418 30168014 35F97A35 A42D69A2 538E43FA F344CC13 B66A3402

  301D0603 551D0E04 16041435 F97A35A4 2D69A253 8E43FAF3 44CC13B6 6A340230

  0D06092A 864886F7 0D010104 05000381 81007C8F 74E02033 54EF03BB 643F5DB0

  D3D5C808 D94438E2 B400D30A D04AE016 331A80C0 8CBFCC70 C53B2E94 B0C6B8A2

  7845D0EE B0E999AD FD5C4D64 D973A3F9 185C2121 CF6987BD 0DCD687F E209EA7A

  2A9555F4 9714DF3E 272D5ECB 919CC817 5FFB17B3 EC6167DD C5F15538 9881CE34

  8D6BB1D1 4527C43F 28D642C5 41B7D2EF BF2F

  quit

username ######## privilege 15 password 7 ########

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key ######## address 0.0.0.0 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set IPSEC

match address 120

!

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0

description $FW_OUTSIDE$

ip address dhcp

ip access-group 100 in

ip nat outside

ip virtual-reassembly

half-duplex

crypto map SDM_CMAP_1

!

interface FastEthernet0

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.240

ip nat inside

ip virtual-reassembly

speed auto

!

ip route 0.0.0.0 0.0.0.0 Ethernet0 dhcp

!

!

ip http server

ip http secure-server

ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240

ip nat inside source static tcp 10.10.10.2 81 interface Ethernet0 81

ip nat inside source static tcp 10.10.10.2 3389 interface Ethernet0 3389

ip nat inside source route-map NONAT interface Ethernet0 overload

!

access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 deny   ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 permit ip 10.10.10.0 0.0.0.15 any

snmp-server community public RO

!

!

route-map NONAT permit 10

match ip address 130

!

!

control-plane

!

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

exec-timeout 0 0

logging synchronous

login local

transport input ssh

!

end

Cisco Employee

VPN allows only traffic on one side to reach inside interface of

The reason why you can't access 10.10.10.2 is because you have static PAT configured and that unfortunately take precedence over your NONAT configuration on router.

The only solution to resolve this issue is to add Ethernet0 ip address to the crypto ACL as you will only be able to access it via its public IP, not private IP.

New Member

VPN allows only traffic on one side to reach inside interface of

Your refering to these two statements?

ip nat inside source static tcp 10.10.10.2 81 interface Ethernet0 81

ip nat inside source static tcp 10.10.10.2 3389 interface Ethernet0 3389

First, why would these two interfere with say communication with other endpoints (say 10.10.10.3)? More importantly if I remove these two so my config would look like this now:

ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240

ip nat inside source route-map NONAT interface Ethernet0 overload


access-list 120 permit ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 deny   ip 10.10.10.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 permit ip 10.10.10.0 0.0.0.15 any

route-map NONAT permit 10

match ip address 130

Still does not work. Yet another 1721 that is doing static to static with the ASA does work:

ip nat pool 101 192.168.1.1 192.168.1.30 netmask 255.255.255.224

ip nat inside source route-map NONAT interface FastEthernet0 overload

access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

route-map NONAT permit 10

match ip address 130

The difference between these two is that one (working) has static IP whereas the other non-working is via DHCP, so thus the

Non working 1721:

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set IPSEC

match address 120

!

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

Working 1721:

crypto map CRYPTO_IPSEC 11 ipsec-isakmp

set peer 192.168.0.3

set transform-set IPSEC

match address 120

So I would almost have to think that part of the problem has to do with this 1721 being dynamic. This ASA already has an existing working tunnel out to a PIX506  that is dynamic (ASA5505) to static (PIX506). On the ASA side the configs are the same between this working PIX506 and the non-working 1721.

I previously did try to set a static on the 1721 and used the set peer dynamic:

crypto map CRYPTO_IPSEC 11 ipsec-isakmp

set peer HOSTNAME dynamic

set transform-set IPSEC

match address 120

I removed the two static NAT entries forwarding to 10.10.10.2, but still can not access anything but the inside interface of the 1721 (even though I have verified two of the devices are responding internally).

Cisco Employee

VPN allows only traffic on one side to reach inside interface of

Can you please clear the SA - clear cry sa, and try to ping across to 10.10.10.2 and 10.10.10.3, and please share the output of "show cry ipsec sa" from both ASA and 1721.

New Member

VPN allows only traffic on one side to reach inside interface of

ASA5505#show cry ipsec sa

    Crypto map tag: OUTSIDE_MAP, seq num: 2, local addr: 192.168.0.3

      access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240

      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)

      current_peer: 75.8x.xxx.xxx

      #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18

      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.0.3/0, remote crypto endpt.: 75.8x.xxx.xxx/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: A76FA66F

      current inbound spi : A6CFB28F

    inbound esp sas:

      spi: 0xA6CFB28F (2798629519)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 471040, crypto-map: OUTSIDE_MAP

         sa timing: remaining key lifetime (kB/sec): (4373999/3484)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x0000001F

    outbound esp sas:

      spi: 0xA76FA66F (2809112175)

         transform: esp-3des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 471040, crypto-map: OUTSIDE_MAP

         sa timing: remaining key lifetime (kB/sec): (4373998/3483)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

1721-K9#show cry ipsec sa

interface: Ethernet0

    Crypto map tag: CRYPTO_IPSEC, local addr 75.8x.xxx.xxx

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0)

   current_peer (none) port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.240/0/0)

   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)

   current_peer 84.xx.xx.xx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

    #pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 75.8x.xxx.xxx, remote crypto endpt.: 84.xx.xx.xx

     path mtu 1500, ip mtu 1500

     current outbound spi: 0xA6CFB28F(2798629519)

     inbound esp sas:

      spi: 0xA76FA66F(2809112175)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 75, flow_id: C1700_EM:75, crypto map: CRYPTO_IPSEC

        sa timing: remaining key lifetime (k/sec): (4590216/3376)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA6CFB28F(2798629519)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 76, flow_id: C1700_EM:76, crypto map: CRYPTO_IPSEC

        sa timing: remaining key lifetime (k/sec): (4590218/3375)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

1721-K9#

Cisco Employee

VPN allows only traffic on one side to reach inside interface of

Firstly, if you can't even ping when sourcing from the outside interface, that means it might be something blocking on the host itself, otherwise, pinging from outside interface should work. Can you check if there is any firewall on the host that might be blocking inbound ping?

Secondly, the fact that you can ping from the router is because you have a router interface in the same subnet, and normally that is allowed (pinging from the same subnet).

Lastly, base on the output provided, that means packet comes inbound towards the router, however, there is no reply back. Again, I would check the host and see if there is any firewall, etc that might be blocking it.

BTW, can you ping from the 10.10.10.2 or .3 hosts towards the ASA end?

New Member

VPN allows only traffic on one side to reach inside interface of

I setup another 1721 here, same IOS version. This time I used the config from my other 1721 here and just made step by step changes to adjust to this remote 1721 (yes I have a few of these). Eventually got the tunnel work...somewhat by changing

crypto isakmp key ######## address 0.0.0.0 0.0.0.0 no-xauth

to

crypto isakmp key ######## address 0.0.0.0 0.0.0.0

Reason I had put in no-xauth is simply this is what I needed to do with one of the other existing tunnels to a PIX506 due to my end having a dynamically changing IP (my DSL connection drops a lot, and each time it is a new IP). For the PIX I had to do:

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Tunnel went up between the ASA and the remote 1721, and stayed that way for a while. I could access now the 2 devices at 10.10.10.2 and 10.10.10.3 via their web management GUI. However ICMP just would not work. Could this be an ACL issue? I don't see why it would since I have here two 1721s with the exact same ACLs and near similar configs, and I can ping devices without issue including the inside interfaces of the routers. Yet this one particlular remote 1721 will not let me ping anything. I can bring the tunnel up by doing a ping, but that is it.

For example this new test 1721 I just configured:

crypto isakmp key ######## address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set IPSEC esp-3des esp-sha-hmac

!

crypto map CRYPTO_IPSEC 11 ipsec-isakmp

set peer ASA.#######.net dynamic

set transform-set IPSEC

match address 120

!

ip nat pool NAT 175.20.20.1 175.20.20.15 netmask 255.255.255.240

ip nat inside source route-map NONAT interface Ethernet0 overload

!

access-list 120 permit ip 175.20.20.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 deny   ip 175.20.20.0 0.0.0.15 192.168.2.0 0.0.0.255

access-list 130 permit ip 175.20.20.0 0.0.0.15 any

!

route-map NONAT permit 10

match ip address 130

Almost matches the remote 1721 except for the local subnet. This tunnel works, stays up, can ping the inside interface and a device directly connected to it at 175.20.20.2.

And finally to answer question, no there is no internal firewalling etc.. that would be blocking ICMP. The one device at 10.10.10.3 is a very simple and dumb device, the other is configured to allow ICMP and these work at other sites. It is just something unique to this remote 1721/tunnel/config.

Cisco Employee

VPN allows only traffic on one side to reach inside interface of

is the following NAT pool needed at all in the config?

ip nat pool NAT 10.10.10.1 10.10.10.15 netmask 255.255.255.240

I don't see that reference anywhere, and also it overlaps with your internal IP. Just remove it from the configuration as it is not required.

New Member

Re: VPN allows only traffic on one side to reach inside interfac

The ASA5505:

: Saved

:

ASA Version 8.4(4)

!

hostname ASA5505

domain-name ########

enable password ######## encrypted

passwd ######## encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.0.3 255.255.255.224

!

interface Vlan12

no nameif

security-level 100

ip address 192.168.3.1 255.255.255.192

!

interface Vlan22

no nameif

security-level 100

ip address 192.168.4.1 255.255.255.192

!

interface Vlan32

no nameif

security-level 100

ip address 192.168.5.1 255.255.255.192

!

interface Vlan42

no nameif

security-level 100

ip address 192.168.6.1 255.255.255.192

!

interface Vlan52

no nameif

security-level 100

ip address 192.168.7.1 255.255.255.192

!

boot system disk0:/asa844-k8.bin

boot system disk0:/asa843-k8.bin

boot system disk0:/asa832-13-k8.bin

boot system disk0:/asa823-k8.bin

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.200

name-server 192.168.2.1

domain-name ########

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.2.0

subnet 192.168.2.0 255.255.255.0

object network obj-172.31.255.0

subnet 172.31.255.0 255.255.255.224

object network obj-172.100.1.0

subnet 172.100.1.0 255.255.255.224

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.224

object network obj-175.10.10.0

subnet 175.10.10.0 255.255.255.240

object network obj-172.16.10.0

subnet 172.16.10.0 255.255.255.192

object network obj-10.10.8.0

subnet 10.10.8.0 255.255.255.0

object network obj-192.168.2.1

host 192.168.2.1

object network obj-192.168.2.200

host 192.168.2.200

object network obj-192.168.2.2

host 192.168.2.2

object network obj-192.168.2.3

host 192.168.2.3

object network obj-192.168.2.7

host 192.168.2.7

object network obj-192.168.2.5

host 192.168.2.5

object network obj-10.10.10.0

subnet 10.10.10.0 255.255.255.240

object network obj-10.10.20.0

subnet 10.10.20.0 255.255.255.240

object-group network obj_any

object-group service EventLog_Analyzer tcp

port-object eq 8400

object-group service OpManager tcp

port-object eq 8060

object-group icmp-type LAN_ECHO

icmp-object echo

icmp-object echo-reply

object-group icmp-type DM_INLINE_ICMP_1

icmp-object echo

icmp-object echo-reply

icmp-object traceroute

object-group service DM_INLINE_SERVICE_1

service-object icmp

service-object icmp echo

service-object icmp echo-reply

object-group service DM_INLINE_SERVICE_2

service-object icmp

service-object icmp echo

service-object icmp echo-reply

access-list REMOTE_RA extended permit ip any 172.31.255.0 255.255.255.224

access-list REMOTE_RA extended permit ip any 172.100.1.0 255.255.255.224

access-list 101 extended permit ip interface inside any

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.31.255.0 255.255.255.224

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.100.1.0 255.255.255.224

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224

access-list NO_NAT extended permit ip 175.10.10.0 255.255.255.240 192.168.1.0 255.255.255.224

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 172.16.10.0 255.255.255.192

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 175.10.10.0 255.255.255.240

access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240

access-list 1721_Static extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.224

access-list 1721_Static extended permit ip 175.10.10.0 255.255.255.240 192.168.1.0 255.255.255.224

access-list 1721_Dynamic extended permit ip 192.168.2.0 255.255.255.0 172.16.10.0 255.255.255.192

access-list 1721_T extended permit ip 192.168.2.0 255.255.255.0 10.10.20.0 255.255.255.240

access-list PIX506_cryptomap extended permit ip 192.168.2.0 255.255.255.0 175.10.10.0 255.255.255.240

access-list PIX506_cryptomap extended permit ip 192.168.1.0 255.255.255.128 175.10.10.0 255.255.255.240

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq www

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq https

access-list ACL_IN extended permit tcp any host 192.168.2.200 eq https

access-list ACL_IN extended permit tcp any host 192.168.2.200 eq www

access-list ACL_IN extended permit tcp any host 192.168.2.200 eq 3389

access-list ACL_IN extended permit udp any host 192.168.2.200 eq domain

access-list ACL_IN extended permit tcp any host 192.168.2.3 eq www

access-list ACL_IN extended permit udp host 192.168.0.1 host 192.168.2.200 eq radius

access-list ACL_IN extended permit udp host 192.168.0.1 host 192.168.2.200 eq radius-acct

access-list ACL_IN extended permit tcp any host 192.168.2.2 eq www

access-list ACL_IN extended permit tcp any host 192.168.2.2 eq https

access-list ACL_IN extended permit udp any host 192.168.2.2 eq syslog

access-list ACL_IN extended permit udp any host 192.168.2.1 eq 1026

access-list ACL_IN extended permit udp any host 192.168.2.1 eq 1027

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 8060

access-list ACL_IN extended permit udp any host 192.168.2.1 eq 9996

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 8400

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 1875

access-list ACL_IN extended permit tcp any host 192.168.2.1 eq 81

access-list ACL_IN extended permit udp any host 192.168.2.7 eq tftp

access-list ACL_IN extended permit tcp any host 192.168.2.5 eq 32400

access-list ACL_IN extended permit udp any host 192.168.2.5 eq 32400

access-list 1721_KS extended permit ip 192.168.2.0 255.255.255.0 10.10.10.0 255.255.255.240

pager lines 24

logging enable

logging timestamp

logging emblem

logging monitor debugging

logging buffered debugging

logging trap informational

logging asdm informational

logging host inside 192.168.2.1 17/1025 format emblem

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export destination inside 192.168.2.1 9996

flow-export delay flow-create 3

mtu inside 1500

mtu outside 1500

ip local pool L2TP 172.31.255.10-172.31.255.15 mask 255.255.255.224

ip local pool VPN 172.100.1.10-172.100.1.20 mask 255.255.255.224

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-649.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.31.255.0 obj-172.31.255.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.100.1.0 obj-172.100.1.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-175.10.10.0 obj-175.10.10.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-172.16.10.0 obj-172.16.10.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-175.10.10.0 obj-175.10.10.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.10.0 obj-10.10.10.0 no-proxy-arp route-lookup

nat (inside,outside) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-10.10.20.0 obj-10.10.20.0 no-proxy-arp route-lookup

!

object network obj-192.168.2.0

nat (inside,outside) dynamic interface

object network obj-192.168.2.1

nat (inside,outside) static 192.168.0.6

object network obj-192.168.2.200

nat (inside,outside) static 192.168.0.7

object network obj-192.168.2.2

nat (inside,outside) static 192.168.0.8

object network obj-192.168.2.3

nat (inside,outside) static 192.168.0.9

object network obj-192.168.2.7

nat (inside,outside) static 192.168.0.11

object network obj-192.168.2.5

nat (inside,outside) static 192.168.0.12

access-group ACL_IN in interface outside

!

router eigrp 1

network 172.31.255.0 255.255.255.224

network 172.100.1.0 255.255.255.224

network 175.10.10.0 255.255.255.240

network 192.168.0.0 255.255.255.224

network 192.168.2.0 255.255.255.0

network 192.168.3.0 255.255.255.192

network 192.168.4.0 255.255.255.192

network 192.168.5.0 255.255.255.192

network 192.168.6.0 255.255.255.192

network 192.168.7.0 255.255.255.192

!

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route outside 192.168.1.0 255.255.255.128 175.12.10.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

webvpn

  url-list value Internal

aaa-server RADIUS protocol radius

accounting-mode simultaneous

interim-accounting-update

aaa-server RADIUS (inside) host 192.168.2.200

key *****

radius-common-pw *****

acl-netmask-convert auto-detect

aaa-server ######## protocol nt

aaa-server ######## (inside) host 192.168.2.200

nt-auth-domain-controller ########

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

aaa authorization exec LOCAL

http server enable

http server idle-timeout 60

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

snmp-server host inside 192.168.2.1 community ***** version 2c

snmp-server host inside 192.168.2.7 poll community ***** version 2c

snmp-server location ########

snmp-server contact Administrator

snmp-server community *****

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_AES128_SHA mode transport

crypto ipsec ikev1 transform-set TRANS_ESP_AES192_SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_AES192_SHA mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES192_SHA

crypto map OUTSIDE_MAP 1 match address 1721_Static

crypto map OUTSIDE_MAP 1 set peer 175.12.10.2

crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 2 match address 1721_KS

crypto map OUTSIDE_MAP 2 set peer 75.########

crypto map OUTSIDE_MAP 2 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_MAP 2 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 3 match address PIX506_cryptomap

crypto map OUTSIDE_MAP 3 set peer 75.########

crypto map OUTSIDE_MAP 3 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_MAP 3 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5

crypto map OUTSIDE_MAP 3 set nat-t-disable

crypto map OUTSIDE_MAP 4 match address 1721_T

crypto map OUTSIDE_MAP 4 set peer 10.10.2.7

crypto map OUTSIDE_MAP 4 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_MAP 4 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5

crypto map OUTSIDE_MAP 4 set nat-t-disable

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_MAP interface inside

crypto map OUTSIDE_MAP interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ASA5505

keypair SSL

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=ASA5505

keypair SSH

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 26ed064f

    308201dd 30820146 a0030201 02020426 ed064f30 0d06092a 864886f7 0d010105

    05003033 3110300e 06035504 03130741 53413535 3035311f 301d0609 2a864886

    f70d0109 02161041 53413535 30352e52 6f6d652e 6e657430 1e170d31 32303130

    36313332 3535355a 170d3232 30313033 31333235 35355a30 33311030 0e060355

    04031307 41534135 35303531 1f301d06 092a8648 86f70d01 09021610 41534135

    3530352e 526f6d65 2e6e6574 30819f30 0d06092a 864886f7 0d010101 05000381

    8d003081 89028181 00ab1325 ad6a055a aefb838c 9ee8fb9d c9308a17 857b3b00

    651813dc 58a37c47 2d75cb41 754f6637 42149903 5411b6de ac7064de 682224f4

    df2746e5 78ce9494 1da46ccc df61f9b2 472418d8 68d54655 c9b7453f 4b912c43

    badf823a 162c78d3 e4f682b4 7c735f87 877361e9 350701b9 7d787af8 67c69ffb

    b1e55d02 93f29330 81020301 0001300d 06092a86 4886f70d 01010505 00038181

    00311073 21a9cc45 37f53536 f96c082e e2f37bac 3f7c5d51 3094f1f3 361be381

    94b3ab1f 438b8be1 c8e74b2f a65de64e fa65f5f9 e69c9be9 120306d5 9bcf499b

    27cca1b1 0e2eecbc 13842335 812cf26d a9254877 25480d54 b23a599a c9166517

    afa98f45 552236d5 bcbe5aad abc10b96 61505a02 3fb1cc96 cf9c108e 6666d2af

    6f

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 57ef2c4f

    30820347 3082022f a0030201 02020457 ef2c4f30 0d06092a 864886f7 0d010105

    05003033 3110300e 06035504 03130741 53413535 3035311f 301d0609 2a864886

    f70d0109 02161041 53413535 30352e52 6f6d652e 6e657430 1e170d31 32303230

    37323235 3330325a 170d3232 30323034 32323533 30325a30 33311030 0e060355

    04031307 41534135 35303531 1f301d06 092a8648 86f70d01 09021610 41534135

    3530352e 526f6d65 2e6e6574 30820122 300d0609 2a864886 f70d0101 01050003

    82010f00 3082010a 02820101 00bb4670 76d8c9eb d0ee0564 6ce430e3 608f96d5

    cce181ad 1e5d6fb1 4d212c39 6463a625 e935a6b1 e3b49321 098e8df4 e8274ede

    3876c33d e0f887c3 78530fcc b83dd5e7 a7b93700 8c5a127f 5d12575b 43cf9e69

    0f8017ba 05a80d49 0b70c0ad f321b1cd e586e4af 9c7b6a35 c59d5b62 4e265dbf

    fbb7ede7 78ad0a47 25929058 18f87707 517795aa 799789f3 ecc4de41 6a468951

    e75d20e9 92798d88 d852ffcf 45f1601b ef6bbf8d 09bd82f4 42e1fe5c c8f7e595

    4348b5cf 05f3e9dc f8532211 9b622a0f 47344052 95a2127d 3710ad84 fb102256

    f6a4adce f9130182 bd56ba9d 81078477 d0bcc5f6 24153e26 34950af0 ec65a0cd

    e219bfdd 5e8cd1e3 1bf5cd3e b3020301 0001a363 3061300f 0603551d 130101ff

    04053003 0101ff30 0e060355 1d0f0101 ff040403 02018630 1f060355 1d230418

    30168014 d8d6aa48 c377600f 70db8284 847a4bdb 99ed9f06 301d0603 551d0e04

    160414d8 d6aa48c3 77600f70 db828484 7a4bdb99 ed9f0630 0d06092a 864886f7

    0d010105 05000382 0101001b 4e2a1854 1e98a785 521f2bde 7dc8bbac 4a4e4625

    50bd5cc2 7d5dcf68 3e0b924d a1c28b4e 025eb791 4e12a421 f52f8350 7e9889bd

    c8797d00 ec29a508 aa24de74 e9a9b885 7a10cf6c c9e54a95 c8cd6663 6170b142

    cc347da8 4f2ca9ac 39a868d4 a15ad9b7 f0c782f6 475f8daa 5a6b1168 7fff4cbd

    a0867e0c 038633ed 740787db 1754eea2 b76e1e85 5e8ba93c e91b0aff 83db8260

    35d9d4f1 d3512761 7531999c 8e358f72 c84c2074 81986f9a f602bc1b c832730b

    3c18ccfa 6ba59fe3 0975e164 b34f0285 22368bce e525f1a3 79813fff e665e408

    acf48498 f2735919 2f70e5ed 0def8c87 f301b2e2 fa878a6c 199436de 1432e86d

    046a5d2e 6c482744 b81e53

  quit

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

telnet 192.168.2.7 255.255.255.255 inside

telnet 192.168.2.1 255.255.255.255 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

management-access inside

dhcpd auto_config outside

!

threat-detection basic-threat

threat-detection scanning-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 192.168.2.1 source inside

ntp server 192.168.2.200 source inside

ntp server 204.15.208.61 source outside prefer

ntp server 72.14.189.114 source outside

ssl encryption 3des-sha1 des-sha1 rc4-md5 aes128-sha1 aes256-sha1

ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip

ssl trust-point ASDM_TrustPoint0 outside

ssl trust-point ASDM_TrustPoint0 inside vpnlb-ip

ssl trust-point ASDM_TrustPoint0 inside

webvpn

enable inside

enable outside

internal-password enable

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.2.200 192.168.2.1

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

split-tunnel-network-list value REMOTE_RA

default-domain value Rome.net

address-pools value L2TP

webvpn

  url-list value Internal

group-policy DfltGrpPolicy attributes

dns-server value 192.168.2.200

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless

address-pools value L2TP

webvpn

  url-list value Internal

  anyconnect ssl compression deflate

  anyconnect modules value dart,vpngina

group-policy GroupPolicy2 internal

group-policy GroupPolicy2 attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

group-policy 1721_Dynamic internal

group-policy 1721_Dynamic attributes

vpn-filter value 1721_Dynamic

vpn-tunnel-protocol ikev1 l2tp-ipsec

username ######## password ######## nt-encrypted privilege 5

username ######## attributes

vpn-group-policy DefaultRAGroup

vpn-framed-ip-address 172.31.255.10 255.255.255.224

webvpn

  url-list value Internal

username ######## password ######## nt-encrypted privilege 15

username ######## attributes

vpn-group-policy DefaultRAGroup

vpn-framed-ip-address 172.31.255.10 255.255.255.224

webvpn

  url-list value Internal

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup general-attributes

address-pool L2TP

authentication-server-group RADIUS LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 15 retry 2

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup general-attributes

address-pool L2TP

authentication-server-group RADIUS

tunnel-group DefaultWEBVPNGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultWEBVPNGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

tunnel-group 175.12.10.2 type ipsec-l2l

tunnel-group 175.12.10.2 general-attributes

default-group-policy GroupPolicy1

tunnel-group 175.12.10.2 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 10.10.2.7 type ipsec-l2l

tunnel-group 10.10.2.7 general-attributes

default-group-policy GroupPolicy2

tunnel-group 10.10.2.7 ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 1721_Dyn type remote-access

tunnel-group 1721_Dyn general-attributes

default-group-policy 1721_Dynamic

tunnel-group 1721_Dyn ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none

tunnel-group 75.######## type ipsec-l2l

tunnel-group 75.######## general-attributes

default-group-policy GroupPolicy2

tunnel-group 75.######## ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group 75.######## type ipsec-l2l

tunnel-group 75.######## general-attributes

default-group-policy GroupPolicy2

tunnel-group 75.######## ipsec-attributes

ikev1 pre-shared-key *****

!

class-map global-class

match any

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map type inspect netbios NETBIOS_MAP

parameters

  protocol-violation action log

policy-map type inspect http HTTP_INSPECT

parameters

  protocol-violation action log

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect http

  inspect icmp

  inspect icmp error

  inspect ils

  inspect snmp

class global-class

  flow-export event-type all destination 192.168.2.1

!

service-policy global_policy global

smtp-server 192.168.2.1

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command vpn-sessiondb

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:7eec8fbede8a196128a9f104fa9e4ea9

: end

asdm image disk0:/asdm-649.bin

asdm location 192.168.2.7 255.255.255.255 inside

asdm location 192.168.1.0 255.255.255.128 inside

no asdm history enable

New Member

VPN allows only traffic on one side to reach inside interface of

This could well be an issue related to CEF on 1721 router

1107
Views
0
Helpful
15
Replies
CreatePlease login to create content