be_root
asked on
Cisco ASA 5520 error 106015
Hello dear experts. Please help me resolve my problem. My company disaded to migrate all network devices on cisco, I havent problems with configure of routers and swithes, but have some problems with ASA firewals.
Let me explane to you my network map. I have 3 HQ offices in one sity is DataCentre Block, my CampusModel Block, and my second office( its for only 65 people). More i have 17 SOHO regions they connecting thru the ipsec over internet ( its work perfectly).
My devices in core layer is (3825 and one 2960, soon ill change them on to 3750 in stack)
My Firewall in Campus is ASA 5520
And My Firewall in DataCetre is FreeBSD
Internet is also connecting to FreeBSD with ASA 5540
Well question is: My Campus FW drops TCP session after hold on near 20 minutes with error 106015 for example Deny TCP (no connection) from 192.168.240.243/23 to 192.168.2.248/2014 flags FIN PSH ACK on interface 240
Because ASA is not supports IPIP or GRE tunneling i done defaul route to the core, and then direct ipsec to DataCentre FW, also im using DHCP relay on my Windows server. Please help me to solve it. Thank you!
My ASA conf is
!
hostname GW-ALA-MO
enable password HGZ6CLO2y4qv2hrb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.63.14 255.255.255.252
!
interface GigabitEthernet0/1
description trunk
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
description Office_DMZ
vlan 100
nameif dmz
security-level 20
ip address 10.100.100.1 255.255.255.0
!
interface GigabitEthernet0/1.240
description Admin_Vlan
vlan 240
nameif 240
security-level 0
ip address 192.168.240.1 255.255.255.0
!
interface GigabitEthernet0/1.241
description Block_GenDir
vlan 241
nameif 241
security-level 0
ip address 192.168.241.1 255.255.255.0
!
interface GigabitEthernet0/1.242
description Admin_Block
vlan 242
nameif 242
security-level 0
ip address 192.168.242.1 255.255.255.0
!
interface GigabitEthernet0/1.243
description Fin_Block
vlan 243
nameif 243
security-level 0
ip address 192.168.243.1 255.255.255.0
!
interface GigabitEthernet0/1.244
description Comm_Block
vlan 244
nameif 244
security-level 0
ip address 192.168.244.1 255.255.255.0
!
interface GigabitEthernet0/1.245
description Block_IT
vlan 245
nameif 245
security-level 0
ip address 192.168.245.1 255.255.255.0
!
interface GigabitEthernet0/1.246
description Block_TECH
vlan 246
nameif 246
security-level 0
ip address 192.168.246.1 255.255.255.0
!
interface GigabitEthernet0/1.247
description Wireless_LAN
vlan 247
nameif 247
security-level 0
ip address 192.168.247.1 255.255.255.0
!
interface GigabitEthernet0/1.248
description EDU_LAN
vlan 248
nameif 248
security-level 0
ip address 192.168.248.1 255.255.255.0
!
interface GigabitEthernet0/1.249
description Guest_LAN
vlan 249
nameif 249
security-level 0
ip address 192.168.249.1 255.255.255.0
!
interface GigabitEthernet0/1.251
description Guest2_LAN
vlan 251
nameif 251
security-level 0
ip address 192.168.251.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif mgmt
security-level 99
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone Almaty 6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mo-subnet
subnet 192.168.240.0 255.255.240.0
object-group network vpnip
description dst vpn subnet
network-object 10.200.200.0 255.255.248.0
network-object 172.16.219.0 255.255.255.0
network-object 172.16.241.0 255.255.255.0
network-object 172.16.33.0 255.255.255.0
network-object 172.16.35.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.224.0 255.255.240.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list global extended permit icmp any any echo-reply
access-list global extended permit icmp any any unreachable
access-list global extended permit icmp any any echo
access-list global extended permit icmp any any time-exceeded
access-list global extended permit ip any any
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.4.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 10.200.200.0 255.255.248.0
access-list vpn extended permit ip 192.168.240.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.245.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.33.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.35.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.241.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.219.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.0.0 255.255.255.0 inactive
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 173.16.0.0 255.255.255.0 inactive
pager lines 24
logging enable
logging timestamp
logging list auth level debugging class auth
logging buffer-size 8192
logging buffered errors
logging trap errors
logging history errors
logging asdm errors
logging device-id hostname
logging host 240 10.200.201.6
logging debug-trace
logging class auth trap debugging
logging class config trap debugging
flow-export destination 240 10.200.201.6 9996
flow-export template timeout-rate 1
mtu outside 1500
mtu dmz 1500
mtu 240 1500
mtu 241 1500
mtu 242 1500
mtu 243 1500
mtu 244 1500
mtu 245 1500
mtu 246 1500
mtu 247 1500
mtu 248 1500
mtu 249 1500
mtu 251 1500
mtu mgmt 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface 240
ip verify reverse-path interface 241
ip verify reverse-path interface 242
ip verify reverse-path interface 243
ip verify reverse-path interface 244
ip verify reverse-path interface 246
ip verify reverse-path interface 247
ip verify reverse-path interface 248
ip verify reverse-path interface 249
ip verify reverse-path interface 251
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any time-exceeded outside
icmp permit any echo-reply dmz
icmp permit any unreachable dmz
icmp permit any echo dmz
icmp permit any time-exceeded dmz
icmp permit any echo-reply 240
icmp permit any unreachable 240
icmp permit any echo 240
icmp permit any time-exceeded 240
icmp permit any echo-reply 241
icmp permit any unreachable 241
icmp permit any echo 241
icmp permit any time-exceeded 241
icmp permit any echo-reply 242
icmp permit any unreachable 242
icmp permit any echo 242
icmp permit any time-exceeded 242
icmp permit any echo-reply 243
icmp permit any unreachable 243
icmp permit any echo 243
icmp permit any time-exceeded 243
icmp permit any echo-reply 244
icmp permit any unreachable 244
icmp permit any echo 244
icmp permit any time-exceeded 244
icmp permit any echo-reply 245
icmp permit any unreachable 245
icmp permit any echo 245
icmp permit any time-exceeded 245
icmp permit any echo-reply 246
icmp permit any unreachable 246
icmp permit any echo 246
icmp permit any time-exceeded 246
icmp permit any echo-reply 247
icmp permit any unreachable 247
icmp permit any echo 247
icmp permit any time-exceeded 247
icmp permit any echo-reply 248
icmp permit any unreachable 248
icmp permit any echo 248
icmp permit any time-exceeded 248
icmp permit any echo-reply 249
icmp permit any unreachable 249
icmp permit any echo 249
icmp permit any time-exceeded 249
icmp permit any echo-reply mgmt
icmp permit any unreachable mgmt
icmp permit any echo mgmt
icmp permit any time-exceeded mgmt
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (any,outside) source static mo-subnet mo-subnet destination static vpnip vpnip
nat (245,outside) source static mo-subnet mo-subnet inactive
access-group global global
route outside 0.0.0.0 0.0.0.0 192.168.63.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.251 255.255.255.255 240
http 192.168.2.249 255.255.255.255 240
http 192.168.2.248 255.255.255.255 240
http 192.168.245.71 255.255.255.255 245
http 192.168.245.77 255.255.255.255 245
snmp-server host 240 10.200.201.3 community *****
snmp-server host 240 10.200.201.6 community *****
snmp-server location KZ,Almaty,Tolebi st.101,Main Office,8th floor,block "C"
snmp-server contact admin@mtelecom.kz
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set DES-SHA-HMAC esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec transform-set DES-SHA-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set pfs group5
crypto map outside 10 set peer 192.168.60.14
crypto map outside 10 set transform-set 3DES-SHA-HMAC
crypto map outside 10 set security-association lifetime seconds 86400
crypto map outside 10 set security-association lifetime kilobytes 4608000
crypto map outside 10 set phase1-mode aggressive
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet 8.0.32.0 10.100.100.1 251
telnet timeout 5
ssh 192.168.2.251 255.255.255.255 outside
ssh 192.168.2.249 255.255.255.255 outside
ssh 192.168.2.248 255.255.255.255 outside
ssh 10.200.201.6 255.255.255.255 outside
ssh 192.168.2.251 255.255.255.255 240
ssh 192.168.2.249 255.255.255.255 240
ssh 192.168.2.248 255.255.255.255 240
ssh 10.200.201.6 255.255.255.255 240
ssh 192.168.245.71 255.255.255.255 245
ssh 192.168.245.77 255.255.255.255 245
ssh timeout 60
ssh version 2
console timeout 0
management-access 240
dhcprelay server 192.168.240.4 240
dhcprelay enable 241
dhcprelay enable 242
dhcprelay enable 243
dhcprelay enable 244
dhcprelay enable 245
dhcprelay enable 246
dhcprelay enable 247
dhcprelay enable 248
dhcprelay enable 249
dhcprelay enable 251
dhcprelay setroute 241
dhcprelay setroute 242
dhcprelay setroute 243
dhcprelay setroute 244
dhcprelay setroute 245
dhcprelay setroute 246
dhcprelay setroute 247
dhcprelay setroute 248
dhcprelay setroute 249
dhcprelay setroute 251
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.1 source 240
webvpn
username admin password 80XlMizGu/OFSeeF encrypted privilege 15
username anton password VjRLkMAgG3K/7POJ encrypted
username filipp password Uko.HF3AEtKcyptL encrypted
tunnel-group 192.168.60.14 type ipsec-l2l
tunnel-group 192.168.60.14 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
class class-default
flow-export event-type all destination 10.200.201.6
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d7439dc7ba1 8791a89fef a639d4a3f2 7
: end
Let me explane to you my network map. I have 3 HQ offices in one sity is DataCentre Block, my CampusModel Block, and my second office( its for only 65 people). More i have 17 SOHO regions they connecting thru the ipsec over internet ( its work perfectly).
My devices in core layer is (3825 and one 2960, soon ill change them on to 3750 in stack)
My Firewall in Campus is ASA 5520
And My Firewall in DataCetre is FreeBSD
Internet is also connecting to FreeBSD with ASA 5540
Well question is: My Campus FW drops TCP session after hold on near 20 minutes with error 106015 for example Deny TCP (no connection) from 192.168.240.243/23 to 192.168.2.248/2014 flags FIN PSH ACK on interface 240
Because ASA is not supports IPIP or GRE tunneling i done defaul route to the core, and then direct ipsec to DataCentre FW, also im using DHCP relay on my Windows server. Please help me to solve it. Thank you!
My ASA conf is
ASA Version 8.3(1)!
hostname GW-ALA-MO
enable password HGZ6CLO2y4qv2hrb encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.63.14 255.255.255.252
!
interface GigabitEthernet0/1
description trunk
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.100
description Office_DMZ
vlan 100
nameif dmz
security-level 20
ip address 10.100.100.1 255.255.255.0
!
interface GigabitEthernet0/1.240
description Admin_Vlan
vlan 240
nameif 240
security-level 0
ip address 192.168.240.1 255.255.255.0
!
interface GigabitEthernet0/1.241
description Block_GenDir
vlan 241
nameif 241
security-level 0
ip address 192.168.241.1 255.255.255.0
!
interface GigabitEthernet0/1.242
description Admin_Block
vlan 242
nameif 242
security-level 0
ip address 192.168.242.1 255.255.255.0
!
interface GigabitEthernet0/1.243
description Fin_Block
vlan 243
nameif 243
security-level 0
ip address 192.168.243.1 255.255.255.0
!
interface GigabitEthernet0/1.244
description Comm_Block
vlan 244
nameif 244
security-level 0
ip address 192.168.244.1 255.255.255.0
!
interface GigabitEthernet0/1.245
description Block_IT
vlan 245
nameif 245
security-level 0
ip address 192.168.245.1 255.255.255.0
!
interface GigabitEthernet0/1.246
description Block_TECH
vlan 246
nameif 246
security-level 0
ip address 192.168.246.1 255.255.255.0
!
interface GigabitEthernet0/1.247
description Wireless_LAN
vlan 247
nameif 247
security-level 0
ip address 192.168.247.1 255.255.255.0
!
interface GigabitEthernet0/1.248
description EDU_LAN
vlan 248
nameif 248
security-level 0
ip address 192.168.248.1 255.255.255.0
!
interface GigabitEthernet0/1.249
description Guest_LAN
vlan 249
nameif 249
security-level 0
ip address 192.168.249.1 255.255.255.0
!
interface GigabitEthernet0/1.251
description Guest2_LAN
vlan 251
nameif 251
security-level 0
ip address 192.168.251.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif mgmt
security-level 99
no ip address
!
boot system disk0:/asa831-k8.bin
ftp mode passive
clock timezone Almaty 6
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network mo-subnet
subnet 192.168.240.0 255.255.240.0
object-group network vpnip
description dst vpn subnet
network-object 10.200.200.0 255.255.248.0
network-object 172.16.219.0 255.255.255.0
network-object 172.16.241.0 255.255.255.0
network-object 172.16.33.0 255.255.255.0
network-object 172.16.35.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.224.0 255.255.240.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list global extended permit icmp any any echo-reply
access-list global extended permit icmp any any unreachable
access-list global extended permit icmp any any echo
access-list global extended permit icmp any any time-exceeded
access-list global extended permit ip any any
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.2.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.3.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 192.168.4.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 10.200.200.0 255.255.248.0
access-list vpn extended permit ip 192.168.240.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.245.0 255.255.255.0 192.168.224.0 255.255.240.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.33.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.35.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.241.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.219.0 255.255.255.0
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 172.16.0.0 255.255.255.0 inactive
access-list vpn extended permit ip 192.168.240.0 255.255.240.0 173.16.0.0 255.255.255.0 inactive
pager lines 24
logging enable
logging timestamp
logging list auth level debugging class auth
logging buffer-size 8192
logging buffered errors
logging trap errors
logging history errors
logging asdm errors
logging device-id hostname
logging host 240 10.200.201.6
logging debug-trace
logging class auth trap debugging
logging class config trap debugging
flow-export destination 240 10.200.201.6 9996
flow-export template timeout-rate 1
mtu outside 1500
mtu dmz 1500
mtu 240 1500
mtu 241 1500
mtu 242 1500
mtu 243 1500
mtu 244 1500
mtu 245 1500
mtu 246 1500
mtu 247 1500
mtu 248 1500
mtu 249 1500
mtu 251 1500
mtu mgmt 1500
ip verify reverse-path interface outside
ip verify reverse-path interface dmz
ip verify reverse-path interface 240
ip verify reverse-path interface 241
ip verify reverse-path interface 242
ip verify reverse-path interface 243
ip verify reverse-path interface 244
ip verify reverse-path interface 246
ip verify reverse-path interface 247
ip verify reverse-path interface 248
ip verify reverse-path interface 249
ip verify reverse-path interface 251
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any unreachable outside
icmp permit any echo outside
icmp permit any time-exceeded outside
icmp permit any echo-reply dmz
icmp permit any unreachable dmz
icmp permit any echo dmz
icmp permit any time-exceeded dmz
icmp permit any echo-reply 240
icmp permit any unreachable 240
icmp permit any echo 240
icmp permit any time-exceeded 240
icmp permit any echo-reply 241
icmp permit any unreachable 241
icmp permit any echo 241
icmp permit any time-exceeded 241
icmp permit any echo-reply 242
icmp permit any unreachable 242
icmp permit any echo 242
icmp permit any time-exceeded 242
icmp permit any echo-reply 243
icmp permit any unreachable 243
icmp permit any echo 243
icmp permit any time-exceeded 243
icmp permit any echo-reply 244
icmp permit any unreachable 244
icmp permit any echo 244
icmp permit any time-exceeded 244
icmp permit any echo-reply 245
icmp permit any unreachable 245
icmp permit any echo 245
icmp permit any time-exceeded 245
icmp permit any echo-reply 246
icmp permit any unreachable 246
icmp permit any echo 246
icmp permit any time-exceeded 246
icmp permit any echo-reply 247
icmp permit any unreachable 247
icmp permit any echo 247
icmp permit any time-exceeded 247
icmp permit any echo-reply 248
icmp permit any unreachable 248
icmp permit any echo 248
icmp permit any time-exceeded 248
icmp permit any echo-reply 249
icmp permit any unreachable 249
icmp permit any echo 249
icmp permit any time-exceeded 249
icmp permit any echo-reply mgmt
icmp permit any unreachable mgmt
icmp permit any echo mgmt
icmp permit any time-exceeded mgmt
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
nat (any,outside) source static mo-subnet mo-subnet destination static vpnip vpnip
nat (245,outside) source static mo-subnet mo-subnet inactive
access-group global global
route outside 0.0.0.0 0.0.0.0 192.168.63.13 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.251 255.255.255.255 240
http 192.168.2.249 255.255.255.255 240
http 192.168.2.248 255.255.255.255 240
http 192.168.245.71 255.255.255.255 245
http 192.168.245.77 255.255.255.255 245
snmp-server host 240 10.200.201.3 community *****
snmp-server host 240 10.200.201.6 community *****
snmp-server location KZ,Almaty,Tolebi st.101,Main Office,8th floor,block "C"
snmp-server contact admin@mtelecom.kz
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps ipsec start stop
crypto ipsec transform-set DES-SHA-HMAC esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec transform-set DES-SHA-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set pfs group5
crypto map outside 10 set peer 192.168.60.14
crypto map outside 10 set transform-set 3DES-SHA-HMAC
crypto map outside 10 set security-association lifetime seconds 86400
crypto map outside 10 set security-association lifetime kilobytes 4608000
crypto map outside 10 set phase1-mode aggressive
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet 8.0.32.0 10.100.100.1 251
telnet timeout 5
ssh 192.168.2.251 255.255.255.255 outside
ssh 192.168.2.249 255.255.255.255 outside
ssh 192.168.2.248 255.255.255.255 outside
ssh 10.200.201.6 255.255.255.255 outside
ssh 192.168.2.251 255.255.255.255 240
ssh 192.168.2.249 255.255.255.255 240
ssh 192.168.2.248 255.255.255.255 240
ssh 10.200.201.6 255.255.255.255 240
ssh 192.168.245.71 255.255.255.255 245
ssh 192.168.245.77 255.255.255.255 245
ssh timeout 60
ssh version 2
console timeout 0
management-access 240
dhcprelay server 192.168.240.4 240
dhcprelay enable 241
dhcprelay enable 242
dhcprelay enable 243
dhcprelay enable 244
dhcprelay enable 245
dhcprelay enable 246
dhcprelay enable 247
dhcprelay enable 248
dhcprelay enable 249
dhcprelay enable 251
dhcprelay setroute 241
dhcprelay setroute 242
dhcprelay setroute 243
dhcprelay setroute 244
dhcprelay setroute 245
dhcprelay setroute 246
dhcprelay setroute 247
dhcprelay setroute 248
dhcprelay setroute 249
dhcprelay setroute 251
dhcprelay timeout 60
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.1 source 240
webvpn
username admin password 80XlMizGu/OFSeeF encrypted privilege 15
username anton password VjRLkMAgG3K/7POJ encrypted
username filipp password Uko.HF3AEtKcyptL encrypted
tunnel-group 192.168.60.14 type ipsec-l2l
tunnel-group 192.168.60.14 ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect ip-options
class class-default
flow-export event-type all destination 10.200.201.6
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d7439dc7ba1
: end
ASKER
diprajbasu thanks for yore answer, i can see it in my asdm logging. maby you can explane mo detail about this problem, Tank yuo!
ASKER
And more interesting i cant ping another default GW from any subnet
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Error Message %PIX|ASA-6-106015: Deny TCP (no connection) from IP_address/port to
IP_address/port flags tcp_flags on interface interface_name.
Explanation The security appliance discarded a TCP packet that has no associated connection in the security appliance's connection table. The security appliance looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the security appliance discards the packet.
Recommended Action None required unless the security appliance receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
**************************
http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logsev.html