Comptx
asked on
ASA 5505 dual isp issue with traffic redirection
hi, i have an asa5505 connected to 2 different ISP.
got 2 internal networks 10.1.1.0 and 10.5.5.0 which go out thru the default ISP (interface name: Outside) But, now i have a second ISP and a Videoconference unit that sits inside the 10.1.1.0 network. This unit MUST go out thru the secondary ISP (interface name: CTN) and it must go out with its own public IP (*.*.73.112), not the CTN interface IP (*.*73.2).. Calls from the outside will connect to its ip as well and not the interface's.
ive been trying all sorts of things but i cannot get it to go out thru the CTN interface.
right now i removed all changes i did to the config and its going out thru the default interface (interface name: outside)
what do i need to make this work?
Config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
name *.*.73.112 polyComm_public
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 76.14.*.*255.255.255.0
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif CTN
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
access-list CTN_access_in extended permit udp any host polyComm_public eq snmptrap
access-list CTN_access_in extended permit udp any host polyComm_public eq 2873
access-list CTN_access_in extended permit udp any host polyComm_public eq snmp
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list CTN_access_in extended permit udp any range 970 973 host polyComm_public range 970 973
access-list CTN_access_in extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list CTN_access_in extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list CTN_access_in extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list CTN_access_in extended permit tcp any host polyComm_public eq 3603
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1503
access-list CTN_access_in extended permit tcp any host polyComm_public eq ldap
access-list CTN_access_in extended permit tcp any host polyComm_public eq h323
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1027
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1026
access-list CTN_access_in extended permit tcp any host polyComm_public eq 963
access-list CTN_access_in extended permit tcp any host polyComm_public eq 123
access-list CTN_access_in extended permit tcp any host polyComm_public eq telnet
access-list CTN_access_in extended permit udp any host polyComm_public eq 1718
access-list CTN_access_in extended permit tcp any host polyComm_public eq ftp
access-list CTN_access_in extended permit tcp any host polyComm_public eq www
access-list CTN_access_in extended permit tcp any host polyComm_public eq https
access-list CTN_access_in extended permit gre any host polyComm_public
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1731
access-list CTN_access_in extended permit tcp any host polyComm_public eq 2776
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_2_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit icmp any any
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu CTN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
access-group outside_access_in_1 in interface outside
access-group CTN_access_in in interface CTN
route outside 0.0.0.0 0.0.0.0 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 152.79.*.*
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 152.79.*.* type ipsec-l2l
tunnel-group 152.79.*.* ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:648ee0aa6fe d7bbf12f4d 442a5e51e1 a
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
got 2 internal networks 10.1.1.0 and 10.5.5.0 which go out thru the default ISP (interface name: Outside) But, now i have a second ISP and a Videoconference unit that sits inside the 10.1.1.0 network. This unit MUST go out thru the secondary ISP (interface name: CTN) and it must go out with its own public IP (*.*.73.112), not the CTN interface IP (*.*73.2).. Calls from the outside will connect to its ip as well and not the interface's.
ive been trying all sorts of things but i cannot get it to go out thru the CTN interface.
right now i removed all changes i did to the config and its going out thru the default interface (interface name: outside)
what do i need to make this work?
Config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
name *.*.73.112 polyComm_public
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 76.14.*.*255.255.255.0
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif CTN
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
access-list CTN_access_in extended permit udp any host polyComm_public eq snmptrap
access-list CTN_access_in extended permit udp any host polyComm_public eq 2873
access-list CTN_access_in extended permit udp any host polyComm_public eq snmp
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any host polyComm_public eq 1719
access-list CTN_access_in extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list CTN_access_in extended permit udp any range 970 973 host polyComm_public range 970 973
access-list CTN_access_in extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list CTN_access_in extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list CTN_access_in extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list CTN_access_in extended permit tcp any host polyComm_public eq 3603
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1503
access-list CTN_access_in extended permit tcp any host polyComm_public eq ldap
access-list CTN_access_in extended permit tcp any host polyComm_public eq h323
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1027
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1026
access-list CTN_access_in extended permit tcp any host polyComm_public eq 963
access-list CTN_access_in extended permit tcp any host polyComm_public eq 123
access-list CTN_access_in extended permit tcp any host polyComm_public eq telnet
access-list CTN_access_in extended permit udp any host polyComm_public eq 1718
access-list CTN_access_in extended permit tcp any host polyComm_public eq ftp
access-list CTN_access_in extended permit tcp any host polyComm_public eq www
access-list CTN_access_in extended permit tcp any host polyComm_public eq https
access-list CTN_access_in extended permit gre any host polyComm_public
access-list CTN_access_in extended permit tcp any host polyComm_public eq 1731
access-list CTN_access_in extended permit tcp any host polyComm_public eq 2776
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_2_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit icmp any any
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu CTN 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
access-group outside_access_in_1 in interface outside
access-group CTN_access_in in interface CTN
route outside 0.0.0.0 0.0.0.0 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 152.79.*.*
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group 152.79.*.* type ipsec-l2l
tunnel-group 152.79.*.* ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:648ee0aa6fe
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
ASKER
then what about if i make the CTN the primary outside interface, and the other ISP the secondary? i have been able to send vpn traffic thru the secondary interface before just fine
ASKER
then i wouldnt need anything special for the video conference unit since it will go out on the interface i want by default?
sounds like that will work. If you have a particular IP address that you are connecting to for the VPN, than it is as easy as setting up a static route for that one destination IP address.
ASKER
ok i switch the interfaces and the teleconference unit works like i want it.
i added the site to site vpn again with the updates changes to the interface but its not connecting now, i get many of the following error
3 Apr 12 2012 10:29:05 305006 5.172.215.4 1526 portmap translation creation failed for tcp src telemed:10.5.5.6/139 dst outside:5.172.215.4/1526
i added the site to site vpn again with the updates changes to the interface but its not connecting now, i get many of the following error
3 Apr 12 2012 10:29:05 305006 5.172.215.4 1526 portmap translation creation failed for tcp src telemed:10.5.5.6/139 dst outside:5.172.215.4/1526
ASKER
the entire 10.5.5.0 doesnt get internet, so i need to get it to go outside
Did you redo the global map?
ASKER
not quite sure what youre refering to that?
global (outside) 1 interface
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
Here you have a nat translation to the interface IP address fot the outside interface with the nat (inside) 1 0.0.0.0 0.0.0.0. it is translating the inside traffic to the public IP. Since traffic will now be on the CTN connection for public internet, you should change it to nat (inside) 3 0.0.0.0 0.0.0.0, if I am understanding what you are trying to do.
global (CTN) 2 polyComm_public netmask 255.255.255.128
global (CTN) 3 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.228 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
Here you have a nat translation to the interface IP address fot the outside interface with the nat (inside) 1 0.0.0.0 0.0.0.0. it is translating the inside traffic to the public IP. Since traffic will now be on the CTN connection for public internet, you should change it to nat (inside) 3 0.0.0.0 0.0.0.0, if I am understanding what you are trying to do.
if you still have issues, can you post the config again?
ASKER
this is the latest config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif eyeroute
security-level 0
ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
name-server ccc-westsac-server
name-server 10.0.0.13
name-server 76.14.96.13
domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
network-object host USDAVIS101-84
network-object host USDAVIS167.-61
network-object host USDAVIS167-62
network-object host USDAVIS167-65
network-object USDAVIS112-0 255.255.255.0
network-object host USDAVIS200-5
network-object host USDAVIS207-187
network-object host USDAVIS207-188
network-object host USDAVIS207-9
network-object host USDAVIS208121
network-object host USDAVIS35-228
network-object host USDAVIS35-230
network-object host USDAVIS37-118
network-object host USDAVIS37-83
network-object host USDAVIS40-21
network-object host USDAVIS40-22
network-object host USDAVIS41-89
network-object host USDAVIS60-10
network-object host USDAVIS-New-159
network-object host USDAVIS-New-175
network-object host USDAVIS-New-214
network-object host 152.79.60.228
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1731
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq https
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq www
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 2776
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ftp
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq telnet
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 123
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 963
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1026
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1027
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq h323
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ldap
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1503
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 3603
access-list outside_access_in_1 extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list outside_access_in_1 extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list outside_access_in_1 extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list outside_access_in_1 extended permit udp any range 970 973 host polyComm_public range 970 973
access-list outside_access_in_1 extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmp
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmptrap
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 2873
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1718
access-list outside_access_in_1 extended permit gre any host polyComm_public
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any interface outside object-group DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu eyeroute 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 2 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1cab7cb4fe f3530bb270 03499f05c8 b
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif eyeroute
security-level 0
ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
name-server ccc-westsac-server
name-server 10.0.0.13
name-server 76.14.96.13
domain-name communicare
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network UC-Davis
network-object host USDAVIS101-84
network-object host USDAVIS167.-61
network-object host USDAVIS167-62
network-object host USDAVIS167-65
network-object USDAVIS112-0 255.255.255.0
network-object host USDAVIS200-5
network-object host USDAVIS207-187
network-object host USDAVIS207-188
network-object host USDAVIS207-9
network-object host USDAVIS208121
network-object host USDAVIS35-228
network-object host USDAVIS35-230
network-object host USDAVIS37-118
network-object host USDAVIS37-83
network-object host USDAVIS40-21
network-object host USDAVIS40-22
network-object host USDAVIS41-89
network-object host USDAVIS60-10
network-object host USDAVIS-New-159
network-object host USDAVIS-New-175
network-object host USDAVIS-New-214
network-object host 152.79.60.228
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 peterson-lan 255.255.255.0
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1731
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq https
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq www
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 2776
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ftp
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq telnet
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 123
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 963
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1026
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1027
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq h323
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq ldap
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1503
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 3603
access-list outside_access_in_1 extended permit tcp any range 3230 3243 host polyComm_public range 3230 3243
access-list outside_access_in_1 extended permit tcp any range 5555 5587 host polyComm_public range 5555 5587
access-list outside_access_in_1 extended permit udp any range 3230 3285 host polyComm_public range 3230 3285
access-list outside_access_in_1 extended permit udp any range 970 973 host polyComm_public range 970 973
access-list outside_access_in_1 extended permit udp any range 2326 2373 host polyComm_public range 2326 2373
access-list outside_access_in_1 extended permit tcp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1719
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmp
access-list outside_access_in_1 extended permit udp any host polyComm_public eq snmptrap
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 2873
access-list outside_access_in_1 extended permit udp any host polyComm_public eq 1718
access-list outside_access_in_1 extended permit gre any host polyComm_public
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit tcp any interface outside object-group DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.0.0.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 9000
logging buffered emergencies
logging trap emergencies
logging asdm notifications
mtu inside 1500
mtu outside 1500
mtu telemed 1500
mtu eyeroute 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 2 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
service-policy global-policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f1cab7cb4fe
: end
asdm image disk0:/asdm-625.bin
no asdm history enable
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
adding nat (telemed) 1 0.0.0.0 0.0.0.0 gave internet access to the 10.5.5.0
however, for the route part of your message, do i add it like that, even tho the VPN does not connect thru the 10.16.73.1 gateway?
outside interface gateway = 10.16.73.1 1
eyeroute interface gateway - 76.14.161.1
however, for the route part of your message, do i add it like that, even tho the VPN does not connect thru the 10.16.73.1 gateway?
outside interface gateway = 10.16.73.1 1
eyeroute interface gateway - 76.14.161.1
sorry, i though it was the other way in terms of where the VPN should be routed. you can just add the route for the VPN endpoint and use the gateway that it should be using.
ASKER
vpn will still not connect.
latest config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name communicare
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif eyeroute
security-level 0
ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
route eyeroute *.*.254.10 255.255.255.255 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco rd DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 telemed
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
latest config:
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa
domain-name communicare
enable password XFy9CjYNnphRv1bP encrypted
passwd udxi8XKHJKW0Yggp encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address *.*.73.2 255.255.255.128
!
interface Vlan12
nameif telemed
security-level 100
ip address 10.5.5.1 255.255.255.0
!
interface Vlan22
nameif eyeroute
security-level 0
ip address *.*.161.116 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
switchport access vlan 22
!
interface Ethernet0/6
switchport access vlan 12
!
interface Ethernet0/7
switchport access vlan 12
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup telemed
dns server-group DefaultDNS
object-group service DM_INLINE_TCP_1 tcp
port-object eq ftp
port-object eq ftp-data
access-list inside_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_20_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list rdp-capture extended permit tcp any interface outside eq 3389
access-list eyeroute_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list telemed_nat0_outbound extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
access-list outside_cryptomap extended permit ip 10.5.5.0 255.255.255.0 object-group UC-Davis
DM_INLINE_TCP_1
access-list Outside_1_cryptomap extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside_cryptomap_3 extended permit ip 10.5.5.0 255.255.255.0 10.1.1.0 255.255.255.0
global (outside) 1 interface
global (eyeroute) 2 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (telemed) 0 access-list telemed_nat0_outbound
nat (telemed) 1 0.0.0.0 0.0.0.0
static (inside,outside) polyComm_public 10.1.1.228 netmask 255.255.255.255
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 10.16.73.1 1
route eyeroute *.*.254.10 255.255.255.255 76.14.161.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-reco
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 telemed
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 256
crypto map outside_map 3 match address outside_cryptomap_3
crypto map outside_map 3 set peer Davis-Outside
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto map eyeroute_map 1 match address eyeroute_1_cryptomap
crypto map eyeroute_map 1 set peer *.*.254.10
crypto map eyeroute_map 1 set transform-set ESP-3DES-MD5
crypto map eyeroute_map interface eyeroute
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable telemed
crypto isakmp enable eyeroute
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.5.5.5 255.255.255.255 telemed
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
tunnel-group *.*.254.10 type ipsec-l2l
tunnel-group *.*.254.10 ipsec-attributes
pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect pptp
inspect icmp
inspect h323 h225
inspect h323 ras
inspect ftp
!
Just to confirm, the endpoints of the VPN didnt change in this configuration correct?
ASKER
correct, only my gateways were switched
the first thing that I see is that you have two different tunnels on two different interfaces. In the original config they were both on the same interface.
Are any of the tunnels up? you can use 'show crypto ipsec sa' to see if anything is up.
Are any of the tunnels up? you can use 'show crypto ipsec sa' to see if anything is up.
ASKER
Result of the command: "show crypto ipsec sa"
There are no ipsec sas
There are no ipsec sas
ASKER
i dont even see the asa trying to establish a connection :(
You should up the debug level and see what is going on with it.
debug crypto isakmp <level 1-225> (the higher the more detailed it will be.
debug crypto ipsec <level>
This will output a lot of information but should give some more insight into whether the connection is being attempted.
debug crypto isakmp <level 1-225> (the higher the more detailed it will be.
debug crypto ipsec <level>
This will output a lot of information but should give some more insight into whether the connection is being attempted.
ASKER
none of this makes sense on why it wont work, so i checked all my settings again and noticed a typo on my public ip address for the VPN interface -_- gonna try it now
ASKER
Ok VPN connected. however, i cannot ping the computer on the other side. am i missing a command for this?
Which vlan are you pinging from? vlan 1 or 12?
ASKER
vlan12
ASKER
so an update... vpn connects, but i cannot ping the other side's host...
sorry that I have not responded, have been away for a few days. Are you still not able to access the other side of the VPN?
Have you used packet tracer from ASDM or from the CLI to make sure that the traffic is flowing through the VPN?
Have you used packet tracer from ASDM or from the CLI to make sure that the traffic is flowing through the VPN?
ASKER
the answer by ryan, plus the typo correction fixed the issue.
If the Polycom system will be using specific ports, than you could follow these directions. It also has a very thorough explanation.
http://www.packetu.com/2011/11/28/egress-interface-selection-on-the-cisco-asa/