support_ferret
asked on
Problems moving L2L IPSec VPN from Cisco PIX to Cisco ASA 5520, connecting from Cisco 877
Dear Experts,
We had various remote sites (Cisco 800s) connecting to our HQ PIX firewall via IPSec VPN, and are now in the process of migrating the HQ to a new Internet circuit and Cisco ASA 5520 v8.3(1).
I managed to move three out of the four tunnels to the ASA, but am stuck on the last one, despite the configuration appearing to be acceptable. It might be significant, but the 877 in question actually gave some trouble when it was initially connected to the PIX some time back. The error looked similar to the current one pasted below, and was eventually solved by making the PIX present its IP address to the remote peer, rather than the hostname. However, that trick does not appear to work with the ASA.
It looks like ISAKMP phase 1 is not completing, although the parameters for the proposal do match.
Cisco 877 debug sample
Log Buffer (100000 bytes):
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:10:32: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:10:32: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:10:32: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:32: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:34: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:40: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:40: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:40: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:41: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:44: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84F7B828, delme=84F7B828
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=834553BC, delme=834553BC
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84CC8650, delme=84CC8650
Jul 21 20:10:48: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:48: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:48: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:49: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:54: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:54: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP: Unlocking peer struct 0x84CD087C for isadb_mark_sa_deleted(), count 0
Jul 21 20:10:54: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 84CD087C
Jul 21 20:10:54: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 21 20:10:54: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Jul 21 20:10:56: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:56: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:56: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:57: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA
Jul 21 20:11:05: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Jul 21 20:11:05: ISAKMP: New peer created peer = 0x84CD087C peer_handle = 0x80000126
Jul 21 20:11:05: ISAKMP: Locking peer struct 0x84CD087C, refcount 1 for crypto_isakmp_process_bloc
Jul 21 20:11:05: ISAKMP: local port 500, remote port 500
Jul 21 20:11:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 834553BC
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0): processing SA payload. message ID = 0
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
Jul 21 20:11:05: ISAKMP:(0): local preshared key found
Jul 21 20:11:05: ISAKMP : Scanning profiles for xauth ... isakmp isakmp_2
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 1 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 5
Jul 21 20:11:05: ISAKMP: encryption AES-CBC
Jul 21 20:11:05: ISAKMP: keylength of 256
Jul 21 20:11:05: ISAKMP: hash SHA
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 21 20:11:05: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 2 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 2
Jul 21 20:11:05: ISAKMP: encryption 3DES-CBC
Jul 21 20:11:05: ISAKMP: hash MD5
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:life: 0
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 21 20:11:05: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 21 20:11:05: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:11:05: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:11:05: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:07: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:13: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:11:13: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:11:13: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:14: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:17: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco ASA 5520 debug sample
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 21 19:01:53 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
In fact there is little in the way of errors on the ASA side!
I will paste some sanitised configs on here if requested. Thank you for your help!
We had various remote sites (Cisco 800s) connecting to our HQ PIX firewall via IPSec VPN, and are now in the process of migrating the HQ to a new Internet circuit and Cisco ASA 5520 v8.3(1).
I managed to move three out of the four tunnels to the ASA, but am stuck on the last one, despite the configuration appearing to be acceptable. It might be significant, but the 877 in question actually gave some trouble when it was initially connected to the PIX some time back. The error looked similar to the current one pasted below, and was eventually solved by making the PIX present its IP address to the remote peer, rather than the hostname. However, that trick does not appear to work with the ASA.
It looks like ISAKMP phase 1 is not completing, although the parameters for the proposal do match.
Cisco 877 debug sample
Log Buffer (100000 bytes):
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:10:32: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:10:32: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:10:32: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:32: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:32: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:10:32: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:34: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:10:34: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:34: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:40: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:40: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:40: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:41: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:10:41: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:41: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:44: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:10:44: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:44: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84F7B828, delme=84F7B828
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=834553BC, delme=834553BC
Jul 21 20:10:45: ISAKMP:(0):purging SA., sa=84CC8650, delme=84CC8650
Jul 21 20:10:48: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:48: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:48: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:49: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Jul 21 20:10:49: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:49: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:10:54: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:54: ISAKMP:(0):peer does not do paranoid keepalives.
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 2.2.2.2)
Jul 21 20:10:54: ISAKMP: Unlocking peer struct 0x84CD087C for isadb_mark_sa_deleted(), count 0
Jul 21 20:10:54: ISAKMP: Deleting peer node by peer_reap for 2.2.2.2: 84CD087C
Jul 21 20:10:54: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 21 20:10:54: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_DEST_SA
Jul 21 20:10:56: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:10:56: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:10:56: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:10:57: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Jul 21 20:10:57: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:10:57: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (N) NEW SA
Jul 21 20:11:05: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
Jul 21 20:11:05: ISAKMP: New peer created peer = 0x84CD087C peer_handle = 0x80000126
Jul 21 20:11:05: ISAKMP: Locking peer struct 0x84CD087C, refcount 1 for crypto_isakmp_process_bloc
Jul 21 20:11:05: ISAKMP: local port 500, remote port 500
Jul 21 20:11:05: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 834553BC
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0): processing SA payload. message ID = 0
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
Jul 21 20:11:05: ISAKMP:(0): local preshared key found
Jul 21 20:11:05: ISAKMP : Scanning profiles for xauth ... isakmp isakmp_2
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 1 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 5
Jul 21 20:11:05: ISAKMP: encryption AES-CBC
Jul 21 20:11:05: ISAKMP: keylength of 256
Jul 21 20:11:05: ISAKMP: hash SHA
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):Encryption algorithm offered does not match policy!
Jul 21 20:11:05: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 21 20:11:05: ISAKMP:(0):Checking ISAKMP transform 2 against priority 8 policy
Jul 21 20:11:05: ISAKMP: default group 2
Jul 21 20:11:05: ISAKMP: encryption 3DES-CBC
Jul 21 20:11:05: ISAKMP: hash MD5
Jul 21 20:11:05: ISAKMP: auth pre-share
Jul 21 20:11:05: ISAKMP: life type in seconds
Jul 21 20:11:05: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jul 21 20:11:05: ISAKMP:(0):atts are acceptable. Next payload is 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:actual life: 0
Jul 21 20:11:05: ISAKMP:(0):Acceptable atts:life: 0
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 21 20:11:05: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Jul 21 20:11:05: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 21 20:11:05: ISAKMP:(0)::Started lifetime timer: 86400.
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v2
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
Jul 21 20:11:05: ISAKMP:(0): vendor ID is NAT-T v3
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
Jul 21 20:11:05: ISAKMP (0): vendor ID is NAT-T RFC 3947
Jul 21 20:11:05: ISAKMP:(0): processing vendor id payload
Jul 21 20:11:05: ISAKMP:(0): processing IKE frag vendor id payload
Jul 21 20:11:05: ISAKMP:(0): vendor ID is IKE Fragmentation
Jul 21 20:11:05: ISAKMP:(0): AM Fragmentation supported
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jul 21 20:11:05: ISAKMP:(0):sending IKE_FRAG vendor ID
Jul 21 20:11:05: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Jul 21 20:11:05: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:05: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:05: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 21 20:11:05: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:07: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Jul 21 20:11:07: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:07: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:13: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (R) MM_SA_SETUP
Jul 21 20:11:13: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
Jul 21 20:11:13: ISAKMP:(0): retransmitting due to retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:14: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Jul 21 20:11:14: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:14: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
Jul 21 20:11:17: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Jul 21 20:11:17: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (R) MM_SA_SETUP
Jul 21 20:11:17: ISAKMP:(0):Sending an IKE IPv4 Packet.
Cisco ASA 5520 debug sample
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jul 21 19:01:53 [IKEv1]: IP = 1.1.1.1, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jul 21 19:01:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
In fact there is little in the way of errors on the ASA side!
I will paste some sanitised configs on here if requested. Thank you for your help!
Last Comment
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Sorry, perhaps this will be easier to manage
!
! Last configuration change at 20:25:19 BST Wed Jul 21 2010 by admin4ms
! NVRAM config last updated at 20:32:57 BST Wed Jul 21 2010 by admin4ms
!
version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Acme_Automobiles
!
boot-start-marker
boot system flash c870-advsecurityk9-mz.150-1.M2.bin
boot-end-marker
!
logging buffered 100000
enable secret 5 $1$/.ZV$9g5Q4zuKEROka1SJLYi8C.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-2227981338
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2227981338
revocation-check none
rsakeypair TP-self-signed-2227981338
!
!
crypto pki certificate chain TP-self-signed-2227981338
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 2D536967 6E65642D 43657274
69666963 6174652D 32323237 39383133 3338301E 170D3032 30333031 30303036
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32323739
3831333 8C54F1EB 5AB18EEC 5D2FA25A
301D0603 551D0E04 1604148B 49444E65 A484F98C 54F1EB5A B18EEC5D 2FA25A30
0D06092A 864886F7 0D010104 05000381 810023F1 24FAEC98 D6B0E69B 2D1E06A8
6636A547F76
17236302 78A0DCFE CE4052CC 6FED12BF F4AAB4B3 2D48D524 8D0942F0 1333C3AE
0F8820C9 28AF1C24 B2D7F593 8E2D2C43 76CF
quit
dot11 syslog
ip source-route
!
!
ip cef
ip inspect name FIREWALL_100 tcp
ip inspect name FIREWALL_100 udp
ip inspect name FIREWALL_100 icmp
no ip domain lookup
ip domain name Acme
!
!
!
!
archive
log config
hidekeys
username me privilege 15 password 0 me
!
!
ip ftp username me
ip ftp password password
!
!
crypto keyring isakmp
pre-shared-key address x.x.x.x key *********
pre-shared-key address 2.2.2.2 key ********
crypto keyring isakmp_keyring_2
pre-shared-key address 2.2.2.2 key *******
!
crypto isakmp policy 8
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 9
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key *********** address 2.2.2.2 no-xauth
crypto isakmp fragmentation
crypto isakmp profile isakmp
keyring isakmp
match identity address x.x.x.x 255.255.255.255
crypto isakmp profile isakmp_2
keyring isakmp_keyring_2
match identity address 2.2.2.2 255.255.255.255
!
!
crypto ipsec transform-set 3DES-SHA esp-des esp-md5-hmac
crypto ipsec transform-set Acme_transform esp-aes 256 esp-sha-hmac
!
crypto map ipsec 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 100000
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set isakmp-profile isakmp
match address LAN
!
crypto map Acme_crypto_map 10 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime kilobytes 100000
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set isakmp-profile isakmp_2
match address LAN
!
!
!
!
interface Loopback0
description !! Acme Automobiles ADSL DIALER !!
ip address 1.1.1.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback100
ip address x.x.x.x 255.255.255.255
ip nat inside
ip virtual-reassembly
!
interface Loopback200
no ip address
!
interface ATM0
description !! Acme Automobiles ADSL INTERFACE !!
no ip address
no atm ilmi-keepalive
dsl operating-mode itu-dmt
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
description !! LOCAL LINK TO LAN !!
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 128.1.96.254 255.255.252.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
arp timeout 300
!
interface Dialer0
description !! Acme Automobiles ADSL DIALER !!
ip address negotiated
ip access-group FIREWALL_ACL in
ip inspect FIREWALL_100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname Cuser@user.com
ppp chap password 0 ********
no cdp enable
crypto map ipsec
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat translation timeout 600
ip nat pool translate 128.1.249.0 128.1.249.254 prefix-length 24
ip route 0.0.0.0 0.0.0.0 128.1.96.1
ip route 128.1.0.0 255.255.252.0 Dialer0 name Acme-Server
ip route 128.1.0.1 255.255.255.255 128.1.96.1
ip route 128.1.0.65 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.1.8 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.1.55 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.2.69 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.2.94 255.255.255.255 Dialer0 name Acme-Server
ip route x.x.x.x 255.255.255.255 Dialer0 name Acme-Outside-NewYork
ip route x.x.x.x 255.255.255.255 Dialer0 name Supportfirm
!
ip access-list standard vty
permit x.x.x.x
permit x.x.x.x 0.0.0.7
permit 128.1.96.0 0.0.3.255
permit 128.1.100.0 0.0.3.255
!
ip access-list extended FIREWALL_ACL
permit ahp host 2.2.2.2 any
permit esp host 2.2.2.2 any
permit udp host 2.2.2.2 any eq isakmp
permit udp host 2.2.2.2 any eq non500-isakmp
permit ahp host x.x.x.x any
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit udp host x.x.x.x any eq non500-isakmp
permit ip 128.1.0.0 0.0.3.255 128.1.96.0 0.0.3.255
permit ip 128.1.0.0 0.0.3.255 128.1.249.0 0.0.0.255
deny ip 128.1.249.0 0.0.0.255 any
deny ip 128.1.96.0 0.0.3.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended LAN
permit ip 128.1.96.0 0.0.3.255 128.1.0.0 0.0.3.255
ip access-list extended NAT
permit ip 128.1.249.0 0.0.0.255 128.0.0.0 0.255.255.255
permit ip 128.1.249.0 0.0.0.255 host 172.20.0.13
!
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.1.8
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.0.65
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.1.55
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.2.69
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
session-timeout 60
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp source Vlan1
ntp server 128.1.0.1 source Vlan1
end
ASA Version 8.3(1)
!
hostname AcmeCo-ASA
domain-name AcmeCo.co.uk
enable password SHqXegvm4webmUwc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 128.1.0.24 255.255.252.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name AcmeCo.co.uk
object network A_2.2.2.67
host 2.2.2.67
object network PublicServer_NAT1
host 128.1.3.200
object network AnyStreet_VLAN_19
subnet 172.19.0.0 255.255.255.0
object network AnyStreet_Voice_VLAN
subnet 172.16.0.0 255.255.254.0
object network Northern_subnet
subnet 128.1.4.0 255.255.252.0
object network Brussels
subnet 128.1.152.0 255.255.252.0
object network random_partial_subnet
subnet 128.1.29.0 255.255.255.0
description random random second /24 subnet
object network AnyStreet_DATA_VLAN
subnet 128.1.0.0 255.255.252.0
object network AnyStreet_VLAN_18
subnet 172.18.0.0 255.255.255.0
object network AnyStreet_VLAN_20
subnet 172.20.0.0 255.255.255.0
object network AnyStreet_VLAN_21
subnet 172.21.0.0 255.255.255.0
object network AnyStreet_VLAN_22
subnet 172.22.0.0 255.255.255.0
object network AnyStreet_VLAN_17
subnet 172.17.0.0 255.255.255.0
object network AnyStreet_VLAN_23
subnet 172.23.0.0 255.255.255.0
object network DMZ-klklk.AcmeCo.DMZ
host 192.168.0.2
description server in DMZ - accessed on ports 80 & 81
object network DMZ-gfgfg.AcmeCo.DMZ
host 192.168.0.4
description - accessed on port 80
object network A_2.2.2.69
host 2.2.2.69
object network PublicServer_DMZ_petcat1
host 192.168.0.4
object network PublicServer_petgoldfish_server
host 128.1.28.4
object network A_2.2.2.70
host 2.2.2.70
object network DMZ-minniemouse
host 192.168.0.6
object network PublicServer_DMZ-minniemouse
host 192.168.0.6
object network A_2.2.2.71
host 2.2.2.71
object network email_server
host 128.1.1.2
object network PublicServer_email_server
host 128.1.1.2
object network A_2.2.2.72
host 2.2.2.72
object network dmz_server
host 192.168.0.51
description r - public facing IIS
object network DNS_Server
host 128.1.1.4
description
object network PublicServer_dmz_server
host 192.168.0.51
object network A_2.2.2.73
host 2.2.2.73
object network database_server
host 128.1.2.67
description Database server
object network ourstreet_Core_DATA_address
host 128.1.0.1
object network virus_server
host 172.17.0.45
object network random_VLAN
subnet 172.31.0.0 255.255.255.224
object network NETWORK_OBJ_172.19.0.17
host 172.19.0.17
object network random_random_subnet
subnet 128.1.28.0 255.255.252.0
object network random_data_subnet
subnet 128.1.252.0 255.255.252.0
object network random_random_subnet
subnet 172.31.0.32 255.255.255.224
object network web_server
host 128.1.1.55
object network remote_office_subnet
subnet 128.1.96.0 255.255.252.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ssh
port-object eq telnet
object-group network AnyStreet_ALL_DATA_VLANs
description Network object group representing all ourstreet Rd DATA VLANs (not VOICE)
network-object object AnyStreet_DATA_VLAN
network-object object AnyStreet_VLAN_17
network-object object AnyStreet_VLAN_18
network-object object AnyStreet_VLAN_19
network-object object AnyStreet_VLAN_20
network-object object AnyStreet_VLAN_21
network-object object AnyStreet_VLAN_22
network-object object AnyStreet_VLAN_23
object-group service randomly_chosen_ports tcp
port-object eq 81
port-object eq www
object-group service petgoldfish_ports_range tcp
description service object-group identifying ports for petgoldfishsoft to connect to random petgoldfish server
port-object eq 41000
port-object eq 42000
port-object eq 43000
port-object eq 44000
port-object eq 45000
port-object eq 46000
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service remote_desktop_protocol tcp
port-object eq 3389
object-group service SQL_Server_port tcp
port-object eq 1433
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq sqlnet
group-object remote_desktop_protocol
group-object SQL_Server_port
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_1
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group network DM_INLINE_NETWORK_3
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
group-object AnyStreet_ALL_DATA_VLANs
network-object object random_random_subnet
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_5
network-object 128.1.28.0 255.255.252.0
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
access-list outside_access extended deny tcp any object dmz_server eq www
access-list outside_access extended permit tcp host x.x.x.x host 128.1.3.200 eq www
access-list outside_access extended permit tcp object AcmeCoFM-petgoldfishsoft.co.uk object petgoldfish_server object-group petgoldfish_ports_range log
access-list outside_access extended permit object crazy_app_application_port any object crazy_app_Application_Server
access-list outside_access extended permit tcp any object DMZ-apps99.AcmeCo.DMZ object-group randomly_chosen_ports log
access-list outside_access extended permit tcp any object DMZ-petcat1.AcmeCo.DMZ eq www
access-list outside_access extended permit tcp any object DMZ-minniemouse eq www log
access-list outside_access extended permit tcp any object email_server eq smtp
access-list inside_access_in extended permit ip host 172.19.0.17 any log
access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.255.0 object-group AnyStreet_ALL_DATA_VLANs
access-list dmz_access_in extended permit tcp object dmz_server object virus_server object-group DM_INLINE_TCP_3 log
access-list dmz_access_in extended permit tcp object dmz_server object database_server object-group DM_INLINE_TCP_4
access-list dmz_access_in extended permit udp object dmz_server object DNS_Server eq domain
access-list dmz_access_in extended permit tcp object dmz_server any object-group DM_INLINE_TCP_2
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 object AnyStreet_DATA_VLAN object remote_office_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group AnyStreet_ALL_DATA_VLANs object random_data_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_6 object-group DM_INLINE_NETWORK_5 object random_random_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object random_VLAN
access-list inside_access_in_1 extended permit ip object web_server any
access-list inside_access_in_1 extended permit udp object DNS_Server object dmz_server eq domain
access-list inside_access_in_1 extended permit ip object Brussels object AcmeCo_Group_Public_Web_Server
access-list inside_access_in_1 extended permit ip object group_VPN_Client_subnet 192.168.0.0 255.255.255.0
access-list inside_access_in_1 extended permit ip object-group AnyStreet_ALL_DATA_VLANs 192.168.0.0 255.255.255.0
access-list inside_access_in_1 extended permit object crazy_app_application_port object southern_firm 192.168.0.0 255.255.255.0
access-list inside_access_in_1 extended permit tcp object-group Hosts_allowed_out any object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_1 object random_VLAN
access-list outside_2_cryptomap extended permit object-group DM_INLINE_PROTOCOL_4 object-group AnyStreet_ALL_DATA_VLANs object random_data_subnet
access-list outside_3_cryptomap extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_4 object random_random_subnet
access-list outside_4_cryptomap extended permit object-group DM_INLINE_PROTOCOL_8 object AnyStreet_DATA_VLAN object remote_office_subnet
pager lines 24
logging enable
logging buffer-size 10000
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static random_VLAN random_VLAN
nat (inside,outside) source static AnyStreet_ALL_DATA_VLANs AnyStreet_ALL_DATA_VLANs destination static random_data_subnet random_data_subnet
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static random_random_subnet random_random_subnet
nat (inside,outside) source static AnyStreet_DATA_VLAN AnyStreet_DATA_VLAN destination static remote_office_subnet remote_office_subnet
nat (inside,outside) source dynamic any interface
!
object network PublicServer_NAT1
nat (inside,outside) static A_2.2.2.67
object network PublicServerrandom
nat (inside,outside) static A_2.2.2.68
object network PublicServer_DMrandom
nat (dmz,outside) static A_2.2.2.69
object network PublicServer_petgoldfish_server
nat (inside,outside) static A_2.2.2.70
object network PublicServer_random1
nat (dmz,outside) static A_2.2.2.71
object network PublicServer_Crandom
nat (inside,outside) static A_2.2.2.72
object network PublicServer_random
nat (dmz,outside) static A_2.2.2.73
access-group outside_access in interface outside
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.65 1
route inside 128.1.28.0 255.255.252.0 128.1.0.21 1
route inside 172.17.0.0 255.255.255.0 128.1.0.1 1
route inside 172.19.0.0 255.255.255.0 128.1.0.1 1
route inside 172.20.0.0 255.255.255.0 128.1.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 128.1.0.0 255.255.252.0 management
http 172.19.0.17 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer x.x.x.x
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 1.1.1.1
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 172.19.0.17 255.255.255.255 inside
ssh timeout 45
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.1.0.1 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
username me password pmXIn7DkeNMEbTyl encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:491733dae929cd18308512c451cb84a2
: end
DPD is disabled by default on routers and it is enabled o ASA by default.
so as a work around we will disable it on ASA
command is as follows
tunnel-group x.x.x.x ipsec-attributes
isakmp keepalive disable
x.x.x.x peer IP of your 800 router
try this and let me know the status , so that we can proceed further
so as a work around we will disable it on ASA
command is as follows
tunnel-group x.x.x.x ipsec-attributes
isakmp keepalive disable
x.x.x.x peer IP of your 800 router
try this and let me know the status , so that we can proceed further
ASKER
I have just made this change and enabled the crypto map again. Unfortunately I am still getting the same errors logged.
type the below commands
on ASA
crypto isakmp nat-traversal 60
router should automaticaly detect the NAT-traversal
try and let me know
on ASA
crypto isakmp nat-traversal 60
router should automaticaly detect the NAT-traversal
try and let me know
ASKER
OK, thanks! I will give it a go tomorrow as home for the evening now. Does the command only affect the default parameters? Each crypto entry on the ASA has the option to enable or disable NAT-T (via the GUI).
gui i need to ckeck
yes it will affect only the default parameters.
yes it will affect only the default parameters.
ASKER
I will make the change and also modify the crypto map on the Cisco 800 so that it has mutliple entries. Then I can test the intended tunnel during the day without interrupting service for the site.
ASKER
I will re-test this tonight - during this process I noticed a problem which you would not be able to see in the sanitised 800 config. This is a routing problem, and would definitely prevent the VPN tunnel coming up! It would also explain the one-sided nature of the error logs!
I will let you know what happens.
I will let you know what happens.
ASKER
The problem is resolved! Thank you for your help - the stepping through of the process revealed there was no route for the remote peer (there were two routers on site and only the old PIX address was present on the 800). After this point the error logs were easy to read. I had malformed packet problems, then key exchange issues. I reentered the keys and the superflous isakmp profiles that were matching up incorrectly, then all the sa's were built.
ok thanks for the update , if you are satisfied with my help ,then share the points
ASKER
Solution was a routing problem that was masked by the sanitised config. I have awarded all points to anoopkmr as the process we went through revealed the error - specifically when I went to add another crytomap entry and noticed there was no route for the new ASA remote peer.
VPN
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.
26K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
ASKER
in response to your questions:
1. I am not sure - perhaps that is the issue? Is that the same thing as IKE keep-alives? They are enabled on the ASA.
2. NAT-T is enabled on the ASA. not sure about the 877 - you will see that NAT was being used in the past, but there is currently no NAT on there so NAT-T would not be used I guess?
With regard to the configs below :
the key "object" is remote_office_subnet on the ASA
The 877 currently has the crytomap connecting to the old PIX enabled on the Dialer 0 interface. The other crypto map was what was applied during the attempt last night.
Cisco 877
!
! Last configuration change at 20:25:19 BST Wed Jul 21 2010 by admin4ms
! NVRAM config last updated at 20:32:57 BST Wed Jul 21 2010 by admin4ms
!
version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname Acme_Automobiles
!
boot-start-marker
boot system flash c870-advsecurityk9-mz.150-
boot-end-marker
!
logging buffered 100000
enable secret 5 $1$/.ZV$9g5Q4zuKEROka1SJLY
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-2227981338
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2227981338
!
!
crypto pki certificate chain TP-self-signed-2227981338
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 2D536967 6E65642D 43657274
69666963 6174652D 32323237 39383133 3338301E 170D3032 30333031 30303036
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32323739
3831333 8C54F1EB 5AB18EEC 5D2FA25A
301D0603 551D0E04 1604148B 49444E65 A484F98C 54F1EB5A B18EEC5D 2FA25A30
0D06092A 864886F7 0D010104 05000381 810023F1 24FAEC98 D6B0E69B 2D1E06A8
6636A547F76
17236302 78A0DCFE CE4052CC 6FED12BF F4AAB4B3 2D48D524 8D0942F0 1333C3AE
0F8820C9 28AF1C24 B2D7F593 8E2D2C43 76CF
quit
dot11 syslog
ip source-route
!
!
ip cef
ip inspect name FIREWALL_100 tcp
ip inspect name FIREWALL_100 udp
ip inspect name FIREWALL_100 icmp
no ip domain lookup
ip domain name Acme
!
!
!
!
archive
log config
hidekeys
username me privilege 15 password 0 me
!
!
ip ftp username me
ip ftp password password
!
!
crypto keyring isakmp
pre-shared-key address x.x.x.x key *********
pre-shared-key address 2.2.2.2 key ********
crypto keyring isakmp_keyring_2
pre-shared-key address 2.2.2.2 key *******
!
crypto isakmp policy 8
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 9
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key *********** address 2.2.2.2 no-xauth
crypto isakmp fragmentation
crypto isakmp profile isakmp
keyring isakmp
match identity address x.x.x.x 255.255.255.255
crypto isakmp profile isakmp_2
keyring isakmp_keyring_2
match identity address 2.2.2.2 255.255.255.255
!
!
crypto ipsec transform-set 3DES-SHA esp-des esp-md5-hmac
crypto ipsec transform-set Acme_transform esp-aes 256 esp-sha-hmac
!
crypto map ipsec 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 100000
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set isakmp-profile isakmp
match address LAN
!
crypto map Acme_crypto_map 10 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime kilobytes 100000
set security-association lifetime seconds 28800
set transform-set 3DES-SHA
set isakmp-profile isakmp_2
match address LAN
!
!
!
!
interface Loopback0
description !! Acme Automobiles ADSL DIALER !!
ip address 1.1.1.1 255.255.255.255
ip nat outside
ip virtual-reassembly
!
interface Loopback100
ip address x.x.x.x 255.255.255.255
ip nat inside
ip virtual-reassembly
!
interface Loopback200
no ip address
!
interface ATM0
description !! Acme Automobiles ADSL INTERFACE !!
no ip address
no atm ilmi-keepalive
dsl operating-mode itu-dmt
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface FastEthernet0
description !! LOCAL LINK TO LAN !!
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 128.1.96.254 255.255.252.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
arp timeout 300
!
interface Dialer0
description !! Acme Automobiles ADSL DIALER !!
ip address negotiated
ip access-group FIREWALL_ACL in
ip inspect FIREWALL_100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap callin
ppp chap hostname Cuser@user.com
ppp chap password 0 ********
no cdp enable
crypto map ipsec
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat translation timeout 600
ip nat pool translate 128.1.249.0 128.1.249.254 prefix-length 24
ip route 0.0.0.0 0.0.0.0 128.1.96.1
ip route 128.1.0.0 255.255.252.0 Dialer0 name Acme-Server
ip route 128.1.0.1 255.255.255.255 128.1.96.1
ip route 128.1.0.65 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.1.8 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.1.55 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.2.69 255.255.255.255 Dialer0 name Acme-Server
ip route 128.1.2.94 255.255.255.255 Dialer0 name Acme-Server
ip route x.x.x.x 255.255.255.255 Dialer0 name Acme-Outside-NewYork
ip route x.x.x.x 255.255.255.255 Dialer0 name Supportfirm
!
ip access-list standard vty
permit x.x.x.x
permit x.x.x.x 0.0.0.7
permit 128.1.96.0 0.0.3.255
permit 128.1.100.0 0.0.3.255
!
ip access-list extended FIREWALL_ACL
permit ahp host 2.2.2.2 any
permit esp host 2.2.2.2 any
permit udp host 2.2.2.2 any eq isakmp
permit udp host 2.2.2.2 any eq non500-isakmp
permit ahp host x.x.x.x any
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit udp host x.x.x.x any eq non500-isakmp
permit ip 128.1.0.0 0.0.3.255 128.1.96.0 0.0.3.255
permit ip 128.1.0.0 0.0.3.255 128.1.249.0 0.0.0.255
deny ip 128.1.249.0 0.0.0.255 any
deny ip 128.1.96.0 0.0.3.255 any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended LAN
permit ip 128.1.96.0 0.0.3.255 128.1.0.0 0.0.3.255
ip access-list extended NAT
permit ip 128.1.249.0 0.0.0.255 128.0.0.0 0.255.255.255
permit ip 128.1.249.0 0.0.0.255 host 172.20.0.13
!
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.1.8
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.0.65
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.1.55
access-list 100 permit ip 128.1.96.0 0.0.3.255 host 128.1.2.69
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
session-timeout 60
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp source Vlan1
ntp server 128.1.0.1 source Vlan1
end
Cisco ASA
ASA Version 8.3(1)
!
hostname AcmeCo-ASA
domain-name AcmeCo.co.uk
enable password SHqXegvm4webmUwc encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.192
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 128.1.0.24 255.255.252.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.0.254 255.255.255.0
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
no ip address
management-only
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name AcmeCo.co.uk
object network A_2.2.2.67
host 2.2.2.67
object network PublicServer_NAT1
host 128.1.3.200
object network AnyStreet_VLAN_19
subnet 172.19.0.0 255.255.255.0
object network AnyStreet_Voice_VLAN
subnet 172.16.0.0 255.255.254.0
object network Northern_subnet
subnet 128.1.4.0 255.255.252.0
object network Brussels
subnet 128.1.152.0 255.255.252.0
object network random_partial_subnet
subnet 128.1.29.0 255.255.255.0
description random random second /24 subnet
object network AnyStreet_DATA_VLAN
subnet 128.1.0.0 255.255.252.0
object network AnyStreet_VLAN_18
subnet 172.18.0.0 255.255.255.0
object network AnyStreet_VLAN_20
subnet 172.20.0.0 255.255.255.0
object network AnyStreet_VLAN_21
subnet 172.21.0.0 255.255.255.0
object network AnyStreet_VLAN_22
subnet 172.22.0.0 255.255.255.0
object network AnyStreet_VLAN_17
subnet 172.17.0.0 255.255.255.0
object network AnyStreet_VLAN_23
subnet 172.23.0.0 255.255.255.0
object network DMZ-klklk.AcmeCo.DMZ
host 192.168.0.2
description server in DMZ - accessed on ports 80 & 81
object network DMZ-gfgfg.AcmeCo.DMZ
host 192.168.0.4
description - accessed on port 80
object network A_2.2.2.69
host 2.2.2.69
object network PublicServer_DMZ_petcat1
host 192.168.0.4
object network PublicServer_petgoldfish_s
host 128.1.28.4
object network A_2.2.2.70
host 2.2.2.70
object network DMZ-minniemouse
host 192.168.0.6
object network PublicServer_DMZ-minniemou
host 192.168.0.6
object network A_2.2.2.71
host 2.2.2.71
object network email_server
host 128.1.1.2
object network PublicServer_email_server
host 128.1.1.2
object network A_2.2.2.72
host 2.2.2.72
object network dmz_server
host 192.168.0.51
description r - public facing IIS
object network DNS_Server
host 128.1.1.4
description
object network PublicServer_dmz_server
host 192.168.0.51
object network A_2.2.2.73
host 2.2.2.73
object network database_server
host 128.1.2.67
description Database server
object network ourstreet_Core_DATA_addres
host 128.1.0.1
object network virus_server
host 172.17.0.45
object network random_VLAN
subnet 172.31.0.0 255.255.255.224
object network NETWORK_OBJ_172.19.0.17
host 172.19.0.17
object network random_random_subnet
subnet 128.1.28.0 255.255.252.0
object network random_data_subnet
subnet 128.1.252.0 255.255.252.0
object network random_random_subnet
subnet 172.31.0.32 255.255.255.224
object network web_server
host 128.1.1.55
object network remote_office_subnet
subnet 128.1.96.0 255.255.252.0
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ssh
port-object eq telnet
object-group network AnyStreet_ALL_DATA_VLANs
description Network object group representing all ourstreet Rd DATA VLANs (not VOICE)
network-object object AnyStreet_DATA_VLAN
network-object object AnyStreet_VLAN_17
network-object object AnyStreet_VLAN_18
network-object object AnyStreet_VLAN_19
network-object object AnyStreet_VLAN_20
network-object object AnyStreet_VLAN_21
network-object object AnyStreet_VLAN_22
network-object object AnyStreet_VLAN_23
object-group service randomly_chosen_ports tcp
port-object eq 81
port-object eq www
object-group service petgoldfish_ports_range tcp
description service object-group identifying ports for petgoldfishsoft to connect to random petgoldfish server
port-object eq 41000
port-object eq 42000
port-object eq 43000
port-object eq 44000
port-object eq 45000
port-object eq 46000
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service remote_desktop_protocol tcp
port-object eq 3389
object-group service SQL_Server_port tcp
port-object eq 1433
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq sqlnet
group-object remote_desktop_protocol
group-object SQL_Server_port
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_1
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group network DM_INLINE_NETWORK_3
network-object object random_random_subnet
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_4
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
group-object AnyStreet_ALL_DATA_VLANs
network-object object random_random_subnet
object-group protocol DM_INLINE_PROTOCOL_5
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_5
network-object 128.1.28.0 255.255.252.0
group-object AnyStreet_ALL_DATA_VLANs
object-group protocol DM_INLINE_PROTOCOL_6
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_7
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_8
protocol-object ip
protocol-object icmp
access-list outside_access extended deny tcp any object dmz_server eq www
access-list outside_access extended permit tcp host x.x.x.x host 128.1.3.200 eq www
access-list outside_access extended permit tcp object AcmeCoFM-petgoldfishsoft.c
access-list outside_access extended permit object crazy_app_application_port
access-list outside_access extended permit tcp any object DMZ-apps99.AcmeCo.DMZ object-group randomly_chosen_ports log
access-list outside_access extended permit tcp any object DMZ-petcat1.AcmeCo.DMZ eq www
access-list outside_access extended permit tcp any object DMZ-minniemouse eq www log
access-list outside_access extended permit tcp any object email_server eq smtp
access-list inside_access_in extended permit ip host 172.19.0.17 any log
access-list dmz_access_in extended permit icmp 192.168.0.0 255.255.255.0 object-group AnyStreet_ALL_DATA_VLANs
access-list dmz_access_in extended permit tcp object dmz_server object virus_server object-group DM_INLINE_TCP_3 log
access-list dmz_access_in extended permit tcp object dmz_server object database_server object-group DM_INLINE_TCP_4
access-list dmz_access_in extended permit udp object dmz_server object DNS_Server eq domain
access-list dmz_access_in extended permit tcp object dmz_server any object-group DM_INLINE_TCP_2
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 object AnyStreet_DATA_VLAN object remote_office_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_3 object-group AnyStreet_ALL_DATA_VLANs object random_data_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_6 object-group DM_INLINE_NETWORK_5 object random_random_subnet
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_2 object random_VLAN
access-list inside_access_in_1 extended permit ip object web_server any
access-list inside_access_in_1 extended permit udp object DNS_Server object dmz_server eq domain
access-list inside_access_in_1 extended permit ip object Brussels object AcmeCo_Group_Public_Web_Se
access-list inside_access_in_1 extended permit ip object group_VPN_Client_subnet 192.168.0.0 255.255.255.0
access-list inside_access_in_1 extended permit ip object-group AnyStreet_ALL_DATA_VLANs 192.168.0.0 255.255.255.0
access-list inside_access_in_1 extended permit object crazy_app_application_port
access-list inside_access_in_1 extended permit tcp object-group Hosts_allowed_out any object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_1 object random_VLAN
access-list outside_2_cryptomap extended permit object-group DM_INLINE_PROTOCOL_4 object-group AnyStreet_ALL_DATA_VLANs object random_data_subnet
access-list outside_3_cryptomap extended permit object-group DM_INLINE_PROTOCOL_5 object-group DM_INLINE_NETWORK_4 object random_random_subnet
access-list outside_4_cryptomap extended permit object-group DM_INLINE_PROTOCOL_8 object AnyStreet_DATA_VLAN object remote_office_subnet
pager lines 24
logging enable
logging buffer-size 10000
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static random_VLAN random_VLAN
nat (inside,outside) source static AnyStreet_ALL_DATA_VLANs AnyStreet_ALL_DATA_VLANs destination static random_data_subnet random_data_subnet
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static random_random_subnet random_random_subnet
nat (inside,outside) source static AnyStreet_DATA_VLAN AnyStreet_DATA_VLAN destination static remote_office_subnet remote_office_subnet
nat (inside,outside) source dynamic any interface
!
object network PublicServer_NAT1
nat (inside,outside) static A_2.2.2.67
object network PublicServerrandom
nat (inside,outside) static A_2.2.2.68
object network PublicServer_DMrandom
nat (dmz,outside) static A_2.2.2.69
object network PublicServer_petgoldfish_s
nat (inside,outside) static A_2.2.2.70
object network PublicServer_random1
nat (dmz,outside) static A_2.2.2.71
object network PublicServer_Crandom
nat (inside,outside) static A_2.2.2.72
object network PublicServer_random
nat (dmz,outside) static A_2.2.2.73
access-group outside_access in interface outside
access-group inside_access_in in interface inside control-plane
access-group inside_access_in_1 in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 2.2.2.65 1
route inside 128.1.28.0 255.255.252.0 128.1.0.21 1
route inside 172.17.0.0 255.255.255.0 128.1.0.1 1
route inside 172.19.0.0 255.255.255.0 128.1.0.1 1
route inside 172.20.0.0 255.255.255.0 128.1.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 128.1.0.0 255.255.252.0 management
http 172.19.0.17 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.x
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs group5
crypto map outside_map 3 set peer x.x.x.x
crypto map outside_map 3 set transform-set ESP-AES-256-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 1.1.1.1
crypto map outside_map 4 set transform-set ESP-DES-MD5
crypto map outside_map 4 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh 172.19.0.17 255.255.255.255 inside
ssh timeout 45
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 128.1.0.1 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
username me password pmXITyl encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:491733dae92
: end