rigneydolphin
asked on
Cisco ASA VPN Phase 1 Fail IPSEC IKE LAN-to-LAN VPN
Hi,
Im receiving the below error when trying to setup a VPN between our Cisco 5520 and the Cisco5505 of one of our clients.
I have also posted the confg below, it seems to be failing at phase 1.
thanks,
7|Oct 29 2009 11:25:37|609002: Teardown local-host outside:81.AA.NN.198 duration 0:02:24
6|Oct 29 2009 11:25:37|302016: Teardown UDP connection 3145279 for outside:81.AA.NN.198/500 to NP Identity Ifc:84.203.232.98/500 duration 0:02:24 bytes 1588
4|Oct 29 2009 11:23:45|713903: IP = 81.AA.NN.198, Error: Unable to remove PeerTblEntry
3|Oct 29 2009 11:23:45|713902: IP = 81.AA.NN.198, Removing peer from peer table failed, no match!
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, sending delete/delete with reason message
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, IKE SA MM:86b01248 terminating: flags 0x01000022, refcnt 0, tuncnt 0
7|Oct 29 2009 11:23:45|715065: IP = 81.AA.NN.198, IKE MM Initiator FSM error history (struct &0x3f54d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3 , EV_RESEND_MSG-->MM_WAIT_MS G4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
4|Oct 29 2009 11:23:37|713903: IP = 81.AA.NN.198, Information Exchange processing failed
5|Oct 29 2009 11:23:37|713904: IP = 81.AA.NN.198, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ASA Version 7.0(8)
!
hostname firewall1
domain-name it.local
enable password *********/m encrypted
passwd********** /m encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 84.RR.DD.98 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.AA.BB.16 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login
no ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service HTTPHTTPS tcp
port-object eq www
port-object eq https
object-group service ClientCSG tcp
description ClientC Service Group
port-object range 60510 60510
port-object eq www
port-object eq https
object-group service PServiceGroup tcp
port-object eq echo
port-object eq www
port-object range 6969 6969
port-object eq ssh
port-object eq ftp-data
port-object eq rsh
port-object eq https
port-object eq ftp
port-object range 60510 60510
port-object range 11110 11112
port-object range 5000 5000
object-group service EamonnF tcp
port-object eq telnet
port-object eq www
port-object eq https
port-object eq ftp
object-group service ClientA tcp
port-object range 5900 5900
object-group service CLIENTBVNC tcp
port-object range 5910 5910
object-group service ClientDWB tcp
port-object range 5911 5911
object-group service EX2200 tcp
port-object range 2200 2200
object-group service ClientAWB tcp
description Access for Tight VNC on ClientA WB 10.AA.BB.17
port-object eq 5900
port-object eq 5800
object-group service CLIENTBWallboard tcp
port-object eq 5910
port-object eq 5810
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip any 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.GG.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.EE.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip host 10.AA.FF.16 10.RR.FF.16 255.255.255.240
access-list ANPcrypto extended permit ip host 84.RR.DD.103 host 81.AA.NN.197
access-list ANP_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 81.AA.NN.197
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.BB.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.CC.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.FF.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.GG.0 255.255.255.0
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.40
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.42
access-list CLIENTC_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 217.VV.YY.188
access-list CLIENTC_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 217.VV.YY.188
access-list outside_cryptomap_CLIENTC extended permit ip host 84.RR.DD.100 host 217.VV.YY.188
access-list outside_cryptomap_80 extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list Witness_splitTunnelAcl standard permit host 10.AA.FF.16
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address PP@it.com
logging recipient-address PP@it.com level emergencies
logging host inside 10.AA.BB.3
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 10.RR.FF.50-10.RR.FF.100 mask 255.255.255.0
ip local pool WtinessPool 10.RR.FF.20-10.RR.FF.25 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 20 84.RR.DD.99
global (outside) 30 84.RR.DD.100
global (outside) 40 84.RR.DD.103
nat (inside) 0 access-list INSIDE_NO_NAT_OUTBOUND
nat (inside) 20 access-list VF_NAT
nat (inside) 30 access-list CLIENTC_NAT
nat (inside) 40 access-list ANP_NAT
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 84.RR.DD.102 smtp 10.AA.BB.35 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.AA.BB.9 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.AA.BB.9 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.AA.FF.16 www netmask 255.255.255.255
static (inside,outside) tcp interface telnet 10.AA.FF.14 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 5902 10.AA.BB.33 5902 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.AA.BB.8 ftp netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.101 www 10.AA.BB.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 7000 10.AA.BB.8 7000 netmask 255.255.255.255
static (inside,outside) tcp interface 11111 10.AA.BB.140 11111 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 10.AA.BB.17 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5910 10.AA.CC.12 5910 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 10.AA.BB.17 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 5810 10.AA.CC.12 5810 netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.108 ssh 10.AA.BB.9 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.AA.BB.3 ssh netmask 255.255.255.255
static (inside,outside) udp 84.RR.DD.105 domain 10.AA.BB.25 domain netmask 255.255.255.255
static (inside,outside) tcp interface 5000 10.AA.BB.140 5000 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 84.RR.DD.97 1
route outside 10.AA.DD.0 255.255.255.0 84.RR.DD.97 1
route inside 10.TTT.YYY.0 255.255.255.0 10.AA.BB.11 1
route inside 10.0.0.0 255.255.0.0 10.AA.BB.11 1
route inside 10.10.10.0 255.255.255.0 10.AA.BB.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-t imeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy RRRVPN internal
group-policy RRRVPN attributes
wins-server value 10.AA.BB.8 10.AA.BB.25
dns-server value 10.AA.BB.25 10.AA.BB.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RRRVPN_splitTunnelAcl
default-domain value iota.local
webvpn
group-policy Witness internal
group-policy Witness attributes
banner value
wins-server value 10.AA.BB.25 10.AA.BB.8
dns-server value 10.AA.BB.25 10.AA.BB.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Witness_splitTunnelAcl
default-domain value it.local
webvpn
vpn-group-policy RRRVPN
webvpn
http server enable
http 10.AA.BB.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 90 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 90 set security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40_1
crypto map outside_map 40 set peer 213.HHH.KKK.244
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_cryptomap_CLIENTC
crypto map outside_map 60 set peer 217.EEE.HHH.241
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 21T.249.HHH.13Z
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 90 match address ANPcrypto
crypto map outside_map 90 set peer 81.AA.NN.198
crypto map outside_map 90 set transform-set ESP-3DES-SHA
crypto map outside_map 90 set security-association lifetime seconds 3600
crypto map outside_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_ClientC 70 set security-association lifetime seconds 28800
crypto map crypto_ClientC 70 set security-association lifetime kilobytes 4608000
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 20
tunnel-group 81.AA.NN.198 type ipsec-l2l
tunnel-group 81.AA.NN.198 ipsec-attributes
pre-shared-key *
tunnel-group 213.HHH.KKK.244 type ipsec-l2l
tunnel-group 213.HHH.KKK.244 ipsec-attributes
pre-shared-key *
tunnel-group 217.EEE.HHH.241 type ipsec-l2l
tunnel-group 217.EEE.HHH.241 ipsec-attributes
pre-shared-key *
tunnel-group 213.EEE.HHH130 type ipsec-l2l
tunnel-group 213.EEE.HHH.130 ipsec-attributes
pre-shared-key *
tunnel-group RRRVPN type ipsec-ra
tunnel-group RRRVPN general-attributes
address-pool (inside) VPNpool
address-pool VPNpool
default-group-policy RRRVPN
tunnel-group RRRVPN ipsec-attributes
pre-shared-key *
tunnel-group Witness type ipsec-ra
tunnel-group Witness general-attributes
address-pool WtinessPool
default-group-policy Witness
tunnel-group Witness ipsec-attributes
pre-shared-key *
telnet 10.AA.BB.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 10.AA.FF.11
tftp-server inside 10.AA.BB.140 test1016.cfg
smtp-server 10.AA.BB.9
Cryptochecksum:85cbd896740 83d461bf9e f0969c23a5 a
: end
Im receiving the below error when trying to setup a VPN between our Cisco 5520 and the Cisco5505 of one of our clients.
I have also posted the confg below, it seems to be failing at phase 1.
thanks,
7|Oct 29 2009 11:25:37|609002: Teardown local-host outside:81.AA.NN.198 duration 0:02:24
6|Oct 29 2009 11:25:37|302016: Teardown UDP connection 3145279 for outside:81.AA.NN.198/500 to NP Identity Ifc:84.203.232.98/500 duration 0:02:24 bytes 1588
4|Oct 29 2009 11:23:45|713903: IP = 81.AA.NN.198, Error: Unable to remove PeerTblEntry
3|Oct 29 2009 11:23:45|713902: IP = 81.AA.NN.198, Removing peer from peer table failed, no match!
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, sending delete/delete with reason message
7|Oct 29 2009 11:23:45|713906: IP = 81.AA.NN.198, IKE SA MM:86b01248 terminating: flags 0x01000022, refcnt 0, tuncnt 0
7|Oct 29 2009 11:23:45|715065: IP = 81.AA.NN.198, IKE MM Initiator FSM error history (struct &0x3f54d08) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4,
4|Oct 29 2009 11:23:37|713903: IP = 81.AA.NN.198, Information Exchange processing failed
5|Oct 29 2009 11:23:37|713904: IP = 81.AA.NN.198, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Oct 29 2009 11:23:37|713236: IP = 81.AA.NN.198, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ASA Version 7.0(8)
!
hostname firewall1
domain-name it.local
enable password *********/m encrypted
passwd********** /m encrypted
names
dns-guard
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 84.RR.DD.98 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.AA.BB.16 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
banner login
no ftp mode passive
clock timezone GMT/IST 0
clock summer-time GMT/IDT recurring last Sun Mar 1:00 last Sun Oct 2:00
object-group service HTTPHTTPS tcp
port-object eq www
port-object eq https
object-group service ClientCSG tcp
description ClientC Service Group
port-object range 60510 60510
port-object eq www
port-object eq https
object-group service PServiceGroup tcp
port-object eq echo
port-object eq www
port-object range 6969 6969
port-object eq ssh
port-object eq ftp-data
port-object eq rsh
port-object eq https
port-object eq ftp
port-object range 60510 60510
port-object range 11110 11112
port-object range 5000 5000
object-group service EamonnF tcp
port-object eq telnet
port-object eq www
port-object eq https
port-object eq ftp
object-group service ClientA tcp
port-object range 5900 5900
object-group service CLIENTBVNC tcp
port-object range 5910 5910
object-group service ClientDWB tcp
port-object range 5911 5911
object-group service EX2200 tcp
port-object range 2200 2200
object-group service ClientAWB tcp
description Access for Tight VNC on ClientA WB 10.AA.BB.17
port-object eq 5900
port-object eq 5800
object-group service CLIENTBWallboard tcp
port-object eq 5910
port-object eq 5810
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip any 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.AA.DD.0 255.255.255.128
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.BB.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.CC.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.GG.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip 10.AA.EE.0 255.255.255.0 10.RR.FF.0 255.255.255.0
access-list INSIDE_NO_NAT_OUTBOUND extended permit ip host 10.AA.FF.16 10.RR.FF.16 255.255.255.240
access-list ANPcrypto extended permit ip host 84.RR.DD.103 host 81.AA.NN.197
access-list ANP_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 81.AA.NN.197
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.BB.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.CC.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.FF.0 255.255.255.0
access-list RRRVPN_splitTunnelAcl standard permit 10.AA.GG.0 255.255.255.0
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.40
access-list outside_cryptomap_40_1 extended permit ip host 84.RR.DD.99 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 192.WW.PP.42
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.40
access-list VF_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 192.WW.PP.42
access-list CLIENTC_NAT extended permit ip 10.AA.BB.0 255.255.255.0 host 217.VV.YY.188
access-list CLIENTC_NAT extended permit ip 10.AA.CC.0 255.255.255.0 host 217.VV.YY.188
access-list outside_cryptomap_CLIENTC extended permit ip host 84.RR.DD.100 host 217.VV.YY.188
access-list outside_cryptomap_80 extended permit ip 10.AA.BB.192 255.255.255.248 host 172.SS.LL.13
access-list Witness_splitTunnelAcl standard permit host 10.AA.FF.16
pager lines 24
logging enable
logging trap debugging
logging asdm debugging
logging mail emergencies
logging from-address PP@it.com
logging recipient-address PP@it.com level emergencies
logging host inside 10.AA.BB.3
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNpool 10.RR.FF.50-10.RR.FF.100 mask 255.255.255.0
ip local pool WtinessPool 10.RR.FF.20-10.RR.FF.25 mask 255.255.255.0
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
icmp deny any outside
icmp permit any inside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
global (outside) 20 84.RR.DD.99
global (outside) 30 84.RR.DD.100
global (outside) 40 84.RR.DD.103
nat (inside) 0 access-list INSIDE_NO_NAT_OUTBOUND
nat (inside) 20 access-list VF_NAT
nat (inside) 30 access-list CLIENTC_NAT
nat (inside) 40 access-list ANP_NAT
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp 84.RR.DD.102 smtp 10.AA.BB.35 smtp netmask 255.255.255.255
static (inside,outside) tcp interface imap4 10.AA.BB.9 imap4 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.AA.BB.9 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 10.AA.FF.16 www netmask 255.255.255.255
static (inside,outside) tcp interface telnet 10.AA.FF.14 telnet netmask 255.255.255.255
static (inside,outside) tcp interface 5902 10.AA.BB.33 5902 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 10.AA.BB.8 ftp netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.101 www 10.AA.BB.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 7000 10.AA.BB.8 7000 netmask 255.255.255.255
static (inside,outside) tcp interface 11111 10.AA.BB.140 11111 netmask 255.255.255.255
static (inside,outside) tcp interface 5800 10.AA.BB.17 5800 netmask 255.255.255.255
static (inside,outside) tcp interface 5910 10.AA.CC.12 5910 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 10.AA.BB.17 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 5810 10.AA.CC.12 5810 netmask 255.255.255.255
static (inside,outside) tcp 84.RR.DD.108 ssh 10.AA.BB.9 ssh netmask 255.255.255.255
static (inside,outside) tcp interface ssh 10.AA.BB.3 ssh netmask 255.255.255.255
static (inside,outside) udp 84.RR.DD.105 domain 10.AA.BB.25 domain netmask 255.255.255.255
static (inside,outside) tcp interface 5000 10.AA.BB.140 5000 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 84.RR.DD.97 1
route outside 10.AA.DD.0 255.255.255.0 84.RR.DD.97 1
route inside 10.TTT.YYY.0 255.255.255.0 10.AA.BB.11 1
route inside 10.0.0.0 255.255.0.0 10.AA.BB.11 1
route inside 10.10.10.0 255.255.255.0 10.AA.BB.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication
user-authentication disable
user-authentication-idle-t
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy RRRVPN internal
group-policy RRRVPN attributes
wins-server value 10.AA.BB.8 10.AA.BB.25
dns-server value 10.AA.BB.25 10.AA.BB.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RRRVPN_splitTunnelAcl
default-domain value iota.local
webvpn
group-policy Witness internal
group-policy Witness attributes
banner value
wins-server value 10.AA.BB.25 10.AA.BB.8
dns-server value 10.AA.BB.25 10.AA.BB.8
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Witness_splitTunnelAcl
default-domain value it.local
webvpn
vpn-group-policy RRRVPN
webvpn
http server enable
http 10.AA.BB.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 60 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 80 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 90 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 90 set security-association lifetime seconds 3600
crypto dynamic-map outside_dyn_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40_1
crypto map outside_map 40 set peer 213.HHH.KKK.244
crypto map outside_map 40 set transform-set ESP-3DES-SHA
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_cryptomap_CLIENTC
crypto map outside_map 60 set peer 217.EEE.HHH.241
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set peer 21T.249.HHH.13Z
crypto map outside_map 80 set transform-set ESP-DES-MD5
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 90 match address ANPcrypto
crypto map outside_map 90 set peer 81.AA.NN.198
crypto map outside_map 90 set transform-set ESP-3DES-SHA
crypto map outside_map 90 set security-association lifetime seconds 3600
crypto map outside_map 90 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map crypto_ClientC 70 set security-association lifetime seconds 28800
crypto map crypto_ClientC 70 set security-association lifetime kilobytes 4608000
isakmp enable outside
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 86400
isakmp nat-traversal 20
tunnel-group 81.AA.NN.198 type ipsec-l2l
tunnel-group 81.AA.NN.198 ipsec-attributes
pre-shared-key *
tunnel-group 213.HHH.KKK.244 type ipsec-l2l
tunnel-group 213.HHH.KKK.244 ipsec-attributes
pre-shared-key *
tunnel-group 217.EEE.HHH.241 type ipsec-l2l
tunnel-group 217.EEE.HHH.241 ipsec-attributes
pre-shared-key *
tunnel-group 213.EEE.HHH130 type ipsec-l2l
tunnel-group 213.EEE.HHH.130 ipsec-attributes
pre-shared-key *
tunnel-group RRRVPN type ipsec-ra
tunnel-group RRRVPN general-attributes
address-pool (inside) VPNpool
address-pool VPNpool
default-group-policy RRRVPN
tunnel-group RRRVPN ipsec-attributes
pre-shared-key *
tunnel-group Witness type ipsec-ra
tunnel-group Witness general-attributes
address-pool WtinessPool
default-group-policy Witness
tunnel-group Witness ipsec-attributes
pre-shared-key *
telnet 10.AA.BB.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 management
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 10.AA.FF.11
tftp-server inside 10.AA.BB.140 test1016.cfg
smtp-server 10.AA.BB.9
Cryptochecksum:85cbd896740
: end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.