IPSec tunnel not working through ASA
I am having a fit trying to configur an IPSec tunnel through our ASA 5505. We are attempting to connect multiple Netgear FVS318v3 routers on our internal network through the ASA to a hosted Cisco VPN concentrator. The Netgear connects up fine and we can access the hosted network fine from several remote locations (including my home which is NAT'd by a Linksys router) as well as if we bypass the ASA and connect directly to our ISPs router. However, when connected to the ASA the VPN tunnel shows established, but no traffic will pass either way across the tunnel.
The ASA is running version 8.0(4). I have allowed IPSec, isakmp, and UDP 4500 on the ASAs external interface and also enabled NAT-T. I have also verified that the hosting company has NAT-T enabled on the concentrator.
I'd like to avoid static NATing a public IP to each device inside as when these go out into the field they will be used on a myriad of networks. Including placing multiple routers on a single network with a NAT'd Internet connection. Any ideas are greatly appreciated and just let me know if more information is needed.
The ASA is running version 8.0(4). I have allowed IPSec, isakmp, and UDP 4500 on the ASAs external interface and also enabled NAT-T. I have also verified that the hosting company has NAT-T enabled on the concentrator.
I'd like to avoid static NATing a public IP to each device inside as when these go out into the field they will be used on a myriad of networks. Including placing multiple routers on a single network with a NAT'd Internet connection. Any ideas are greatly appreciated and just let me know if more information is needed.
Ernie Beek
Did you check the logging on the asa? Did that show anything?
could you post your config?
ASKER
@erniebeek
I turned debug logging on for IPSec passthrough and attempted to ping a server on the remote network. The only entries I found in the logging that looked remotely relevant were these:
%ASA-7-609001: Built local-host outside:64.XXX.XXX.XXX
%ASA-3-305006: regular translation creation failed for protocol 50 src inside:19
2.168.2.204 dst outside:64.XXX.XXX.XXX
%ASA-7-609002: Teardown local-host outside:64.XXX.XXX.XXX duration 0:00:00
Where 64.XXX.XXX.XXX is the remote concentrators IP and 192.168.2.204 is the address of the Netgear on the network behind the ASA.
I turned debug logging on for IPSec passthrough and attempted to ping a server on the remote network. The only entries I found in the logging that looked remotely relevant were these:
%ASA-7-609001: Built local-host outside:64.XXX.XXX.XXX
%ASA-3-305006: regular translation creation failed for protocol 50 src inside:19
2.168.2.204 dst outside:64.XXX.XXX.XXX
%ASA-7-609002: Teardown local-host outside:64.XXX.XXX.XXX duration 0:00:00
Where 64.XXX.XXX.XXX is the remote concentrators IP and 192.168.2.204 is the address of the Netgear on the network behind the ASA.
ASKER
@mahrens007
Here is the current config
: Saved
:
ASA Version 8.0(4)
!
hostname Hostname
domain-name domain.local
enable password XXXXXXXXXX encrypted
passwd XXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name galactic-empire.local
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp eq 40000
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 3389
service-object icmp
service-object tcp eq pptp
service-object tcp eq 3390
service-object tcp eq 3391
service-object tcp eq 3392
service-object tcp eq 3393
service-object esp
service-object udp eq isakmp
service-object udp eq 4500
service-object tcp-udp eq 10000
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host XXX.XXX.XXX.XXX
pager lines 24
logging enable
logging buffer-size 20000
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip local pool clientpool 192.168.4.1-192.168.4.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.2.129 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.2.129 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.2.32 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 40000 192.168.2.32 40000 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.2.189 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.3 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.3 https netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.2.182 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 192.168.2.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 192.168.2.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
no vpn-addr-assign aaa
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
l2tp tunnel hello 30
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
group-policy IpsecPolicy internal
group-policy IpsecPolicy attributes
dns-server value 192.168.2.3
default-domain value domain.local
user-authentication disable
tunnel-group DefaultL2LGroup general-attributes
default-group-policy IpsecPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group unityclient type remote-access
tunnel-group unityclient general-attributes
address-pool clientpool
authorization-server-group
default-group-policy IpsecPolicy
tunnel-group unityclient ipsec-attributes
pre-shared-key *
tunnel-group SecondL2LGroup type ipsec-l2l
tunnel-group SecondL2LGroup general-attributes
default-group-policy IpsecPolicy
tunnel-group SecondL2LGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fce2b13a6c2
: end
Here is the current config
: Saved
:
ASA Version 8.0(4)
!
hostname Hostname
domain-name domain.local
enable password XXXXXXXXXX encrypted
passwd XXXXXXX encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
domain-name galactic-empire.local
object-group service DM_INLINE_SERVICE_1
service-object gre
service-object tcp eq 40000
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq www
service-object tcp eq https
service-object tcp eq pop3
service-object tcp eq smtp
service-object tcp eq 3389
service-object icmp
service-object tcp eq pptp
service-object tcp eq 3390
service-object tcp eq 3391
service-object tcp eq 3392
service-object tcp eq 3393
service-object esp
service-object udp eq isakmp
service-object udp eq 4500
service-object tcp-udp eq 10000
access-list acl_out extended permit gre any interface outside
access-list acl_out extended permit tcp any interface outside eq pptp
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list 100 extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 any host XXX.XXX.XXX.XXX
pager lines 24
logging enable
logging buffer-size 20000
logging buffered debugging
mtu inside 1500
mtu outside 1500
ip local pool clientpool 192.168.4.1-192.168.4.100
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.2.129 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.2.129 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.2.32 ftp netmask 255.255.255.255
static (inside,outside) tcp interface 40000 192.168.2.32 40000 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.2.189 3389 netmask 255.255.255.255
static (inside,outside) tcp interface pptp 192.168.2.3 pptp netmask 255.255.255.255
static (inside,outside) tcp interface 3390 192.168.2.11 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.2.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.2.3 https netmask 255.255.255.255
static (inside,outside) tcp interface 3391 192.168.2.182 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3392 192.168.2.3 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3393 192.168.2.10 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.YYY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-reco
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association life
time kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto dynamic-map cisco 1 set security-association lifetime seconds 28800
crypto dynamic-map cisco 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 set security-association lifetime seconds 28800
crypto map outside_map 65535 set security-association lifetime kilobytes 4608000
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
no vpn-addr-assign aaa
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
console timeout 0
l2tp tunnel hello 30
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
group-policy IpsecPolicy internal
group-policy IpsecPolicy attributes
dns-server value 192.168.2.3
default-domain value domain.local
user-authentication disable
tunnel-group DefaultL2LGroup general-attributes
default-group-policy IpsecPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group unityclient type remote-access
tunnel-group unityclient general-attributes
address-pool clientpool
authorization-server-group
default-group-policy IpsecPolicy
tunnel-group unityclient ipsec-attributes
pre-shared-key *
tunnel-group SecondL2LGroup type ipsec-l2l
tunnel-group SecondL2LGroup general-attributes
default-group-policy IpsecPolicy
tunnel-group SecondL2LGroup ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect pptp
inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:fce2b13a6c2
: end
regular translation creation failed for protocol 50 src inside:192.168.2.204 dst outside:64.XXX.XXX.XXX
Protocol 50 is ESP which is used for IPSec. So it looks like you didn't allow that (or not completely correct).
Perhaps you could post a sanitized configuration here so we can have a look at it.
Do you have a rule like:
access-list outside_access_in extended permit esp host x.x.x.x host y.y.y.y
?
Protocol 50 is ESP which is used for IPSec. So it looks like you didn't allow that (or not completely correct).
Perhaps you could post a sanitized configuration here so we can have a look at it.
Do you have a rule like:
access-list outside_access_in extended permit esp host x.x.x.x host y.y.y.y
?
Damn! that fast :)
Ok, so you got the ESP.
Let me check on the config.
Let me check on the config.
It does not look like NAT-T is taking place, which side is initiating traffic. The error you posted is exactly what you would expect to see with out NAT-T.
ASKER
I have a PC attached to the Netgear which then attaches to the ASA5505 which connects us to the Internet. I have heard back from the hosting company and the device on the other end is an ASA5520. They have double verified that NAT-T is enabled and port 4500 is open on their end.
ASKER
@Cheever000
Sorry, just realized I didn't really answer your question. The Netgear is initiating the tunnel and I have been testing by attempting to initiate traffic from the PC to servers on the hosted network. I have also attempted to ping in the reverse direction though.
Sorry, just realized I didn't really answer your question. The Netgear is initiating the tunnel and I have been testing by attempting to initiate traffic from the PC to servers on the hosted network. I have also attempted to ping in the reverse direction though.
They have double verified that NAT-T is enabled and port 4500 is open on their end
Did they also check the inspect rules:
policy-map global_policy
class inspection_default
inspect pptp
inspect ipsec-pass-thru
?
Did they also check the inspect rules:
policy-map global_policy
class inspection_default
inspect pptp
inspect ipsec-pass-thru
?
ASKER
I'm working to get a copy of the running config from their ASA which I'll post here asap. Any other questions or info I should be requesting from them?
Not yet. I think it is a good idea to first have the remote config. After that the questions might come automatically ;)
ASKER
Here is a fairly sanitized running config from the ASA 5520 on the remote end.
: Saved
:
ASA Version 8.3(2)
!
hostname yyyyyyyyyyyyyy
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.44.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network GCI-APP01
host 10.5.44.12
object network GCI-APP02
host 10.5.44.13
object network GCI-DC01
host 10.5.44.10
object network GCI-SQL01
host 10.5.44.11
object network AExt1
host xxx.xxx.xxx.xxx
object network AExt2
host xxx.xxx.xxx.xxx
object network B-APP01_Ext
host xxx.xxx.xxx.xxx
object network B-APP02_Ext
host xxx.xxx.xxx.xxx
object network B-DC01_Ext
host xxx.xxx.xxx.xxx
object network B-SQL01_Ext
host xxx.xxx.xxx.xxx
object network NETWORK_OBJ_10.5.44.0_24
subnet 10.5.44.0 255.255.255.0
object network POS_Test_Network
subnet 192.168.0.0 255.255.255.248
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object B-APP01
network-object object B-APP02
object-group service DM_INLINE_TCP_1 tcp
port-object eq 242
port-object eq 3389
port-object eq 51968
access-list outside_access_in extended permit tcp any object B-SQL01 eq 3389
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.2 extended permit ip 10.5.44.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list outside_cryptomap_65535.1 extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.10
access-list outside_1_cryptomap_1 extended permit ip 10.5.44.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging history critical
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static POS_Test_Network POS_Test_Network
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static NETWORK_OBJ_192.168.2.0_24
!
object network B-APP01
nat (any,any) static B-APP01_Ext dns
object network B-APP02
nat (any,any) static B-APP02_Ext dns
object network B-DC01
nat (any,any) static B-DC01_Ext dns
object network B-SQL01
nat (any,any) static B-SQL01_Ext dns
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GGG.GGG.GGG.GGG 1
route inside 10.1.0.0 255.255.255.0 10.5.44.1 1
route inside 10.5.0.0 255.255.0.0 10.5.44.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2
crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_65535.10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1 aes256-sha1 aes128-sha1 3des-sha1
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group DynamicPolicy type ipsec-l2l
tunnel-group DynamicPolicy ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
: Saved
:
ASA Version 8.3(2)
!
hostname yyyyyyyyyyyyyy
enable password xxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.5.44.254 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server xxx.xxx.xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network GCI-APP01
host 10.5.44.12
object network GCI-APP02
host 10.5.44.13
object network GCI-DC01
host 10.5.44.10
object network GCI-SQL01
host 10.5.44.11
object network AExt1
host xxx.xxx.xxx.xxx
object network AExt2
host xxx.xxx.xxx.xxx
object network B-APP01_Ext
host xxx.xxx.xxx.xxx
object network B-APP02_Ext
host xxx.xxx.xxx.xxx
object network B-DC01_Ext
host xxx.xxx.xxx.xxx
object network B-SQL01_Ext
host xxx.xxx.xxx.xxx
object network NETWORK_OBJ_10.5.44.0_24
subnet 10.5.44.0 255.255.255.0
object network POS_Test_Network
subnet 192.168.0.0 255.255.255.248
object network NETWORK_OBJ_192.168.2.0_24
subnet 192.168.2.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object B-APP01
network-object object B-APP02
object-group service DM_INLINE_TCP_1 tcp
port-object eq 242
port-object eq 3389
port-object eq 51968
access-list outside_access_in extended permit tcp any object B-SQL01 eq 3389
access-list outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_TCP_1
access-list outside_1_cryptomap extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.2 extended permit ip 10.5.44.0 255.255.255.0 192.168.0.8 255.255.255.248
access-list outside_cryptomap_65535.1 extended permit ip 10.5.44.0 255.255.255.0 object POS_Test_Network
access-list outside_cryptomap_65535.10
access-list outside_1_cryptomap_1 extended permit ip 10.5.44.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging history critical
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static POS_Test_Network POS_Test_Network
nat (inside,outside) source static NETWORK_OBJ_10.5.44.0_24 NETWORK_OBJ_10.5.44.0_24 destination static NETWORK_OBJ_192.168.2.0_24
!
object network B-APP01
nat (any,any) static B-APP01_Ext dns
object network B-APP02
nat (any,any) static B-APP02_Ext dns
object network B-DC01
nat (any,any) static B-DC01_Ext dns
object network B-SQL01
nat (any,any) static B-SQL01_Ext dns
!
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 GGG.GGG.GGG.GGG 1
route inside 10.1.0.0 255.255.255.0 10.5.44.1 1
route inside 10.5.0.0 255.255.0.0 10.5.44.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 2 match address outside_cryptomap_65535.2
crypto dynamic-map outside_dyn_map 2 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_65535.10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer xxx.xxx.xxx.xxx
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
ssh timeout 5
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1 aes256-sha1 aes128-sha1 3des-sha1
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
tunnel-group DynamicPolicy type ipsec-l2l
tunnel-group DynamicPolicy ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A bit of devils advocate before I calll them on this. Isn't "crypto isakmp nat-traversal 20" the default for ASAs now? i.e. it wouldn't show up in the config unless it was turned off or the timeout was changed. I've asked them to double check previously and they sent me a screenshot from ASDM with the box for NAT Traversal checked.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.