engineer99
Programmer
I need some help with a static ip based 5505 hub and spoke ipsec vpn setup. The configuration is for a central ASA 5505 as a hub directly connected to two ASA 5505 spokes over a Lan-2-Lan ipsec vpn tunnel on the outside vlan. The spokes do not need to see or talk to each other. The ip devices need to talk to the server through the inside vlan.
server-----HUB-------ipsec tunnel------SPOKE1-------ip devices w/static ip's
|
|
|
|--------ipsec tunnel------SPOKE2-------ip devices w/static ip's
Static IP's
Server: 10.0.0.250
Hub:
inside vlan 10.0.0.1
outside vlan 2.2.2.1
Spoke 1:
inside vlan 10.0.1.1
outside vlan 2.2.2.10
(ip devices connected to Spoke 1 10.0.1.101 - 10.0.1.107)
Spoke 2:
inside vlan 10.0.2.1
outside vlan 2.2.2.20
(ip devices connected to Spoke 1 10.0.2.101 - 10.0.2.107)
My problem is that I cannot ping the inside devices or the inside ASA 5505 ip from any other ASA 5505. The outside tunnel comes right up and I can ping the outside router ip's with no problem at the CLI but not the inside ip's. I get good isakmp sa settings, and the only thing I see strange with the ipsec sa is that it has good encryp pkts but no decryp pkts while pinging from the server to the spoke inside ip's...and at the same time on the spoke ASA the ipsec sa shows no encryp pkts but has good decryp pkts.
The configs follow, sorry in advance for the long post.
! --- ASA 5505 (Hub) Config
!
! ASA Version 8.0(4)
!
hostname 5505HUB
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
! --- Computer with static ip 10.0.0.250 connected to this port
interface Ethernet0/0
switchport access vlan 2
!
! --- ASA 5505 (Spoke 1) connected to this port with outside static ip 2.2.2.10
interface Ethernet0/1
switchport access vlan 1
!
! --- ASA 5505 (Spoke 2) connected to this port with outside static ip 2.2.2.20
interface Ethernet0/2
switchport access vlan 1
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 102 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.255 2.2.2.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Spoke 1)
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer 2.2.2.10
crypto map vpnmap 10 set transform-set vpntrans
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Spoke 2)
crypto map vpnmap 20 match address 102
crypto map vpnmap 20 set peer 2.2.2.20
crypto map vpnmap 20 set transform-set vpntrans
crypto map vpnmap 20 set security-association lifetime seconds 28800
crypto map vpnmap 20 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
pre-shared-key *
!
tunnel-group 2.2.2.20 type ipsec-l2l
tunnel-group 2.2.2.20 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Hub) Config
**********************************************************
! --- ASA 5505 (Spoke 1) Config
!
! ASA Version 8.0(4)
!
hostname 5505SPOKE1
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.10 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.10 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Hub)
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer 2.2.2.1
crypto map vpnmap 10 set transform-set vpntrans
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Spoke 1) Config
*****************************************************
! --- ASA 5505 (Spoke 2) Config
!
! ASA Version 8.0(4)
!
hostname 5505SPOKE2
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.20 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 102 extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.20 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Hub)
crypto map vpnmap 20 match address 102
crypto map vpnmap 20 set peer 2.2.2.1
crypto map vpnmap 20 set transform-set vpntrans
crypto map vpnmap 20 set security-association lifetime seconds 28800
crypto map vpnmap 20 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Spoke 2) Config
******************************************************
server-----HUB-------ipsec tunnel------SPOKE1-------ip devices w/static ip's
|
|
|
|--------ipsec tunnel------SPOKE2-------ip devices w/static ip's
Static IP's
Server: 10.0.0.250
Hub:
inside vlan 10.0.0.1
outside vlan 2.2.2.1
Spoke 1:
inside vlan 10.0.1.1
outside vlan 2.2.2.10
(ip devices connected to Spoke 1 10.0.1.101 - 10.0.1.107)
Spoke 2:
inside vlan 10.0.2.1
outside vlan 2.2.2.20
(ip devices connected to Spoke 1 10.0.2.101 - 10.0.2.107)
My problem is that I cannot ping the inside devices or the inside ASA 5505 ip from any other ASA 5505. The outside tunnel comes right up and I can ping the outside router ip's with no problem at the CLI but not the inside ip's. I get good isakmp sa settings, and the only thing I see strange with the ipsec sa is that it has good encryp pkts but no decryp pkts while pinging from the server to the spoke inside ip's...and at the same time on the spoke ASA the ipsec sa shows no encryp pkts but has good decryp pkts.
The configs follow, sorry in advance for the long post.
! --- ASA 5505 (Hub) Config
!
! ASA Version 8.0(4)
!
hostname 5505HUB
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.1 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
! --- Computer with static ip 10.0.0.250 connected to this port
interface Ethernet0/0
switchport access vlan 2
!
! --- ASA 5505 (Spoke 1) connected to this port with outside static ip 2.2.2.10
interface Ethernet0/1
switchport access vlan 1
!
! --- ASA 5505 (Spoke 2) connected to this port with outside static ip 2.2.2.20
interface Ethernet0/2
switchport access vlan 1
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 101 extended permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list 102 extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.255 2.2.2.1 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Spoke 1)
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer 2.2.2.10
crypto map vpnmap 10 set transform-set vpntrans
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Spoke 2)
crypto map vpnmap 20 match address 102
crypto map vpnmap 20 set peer 2.2.2.20
crypto map vpnmap 20 set transform-set vpntrans
crypto map vpnmap 20 set security-association lifetime seconds 28800
crypto map vpnmap 20 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.10 type ipsec-l2l
tunnel-group 2.2.2.10 ipsec-attributes
pre-shared-key *
!
tunnel-group 2.2.2.20 type ipsec-l2l
tunnel-group 2.2.2.20 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Hub) Config
**********************************************************
! --- ASA 5505 (Spoke 1) Config
!
! ASA Version 8.0(4)
!
hostname 5505SPOKE1
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.10 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 101 extended permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.10 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Hub)
crypto map vpnmap 10 match address 101
crypto map vpnmap 10 set peer 2.2.2.1
crypto map vpnmap 10 set transform-set vpntrans
crypto map vpnmap 10 set security-association lifetime seconds 28800
crypto map vpnmap 10 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Spoke 1) Config
*****************************************************
! --- ASA 5505 (Spoke 2) Config
!
! ASA Version 8.0(4)
!
hostname 5505SPOKE2
domain-name default.domain.invalid
enable password ******* encrypted
passwd ******* encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address 2.2.2.20 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 1
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
boot system disk0:/asa804-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 15
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
!
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list 102 extended permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
route outside 0.0.0.0 0.0.0.0 2.2.2.20 1
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.0.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto ipsec transform-set vpntrans esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
! --- Crypto map for ASA 5505 (Hub)
crypto map vpnmap 20 match address 102
crypto map vpnmap 20 set peer 2.2.2.1
crypto map vpnmap 20 set transform-set vpntrans
crypto map vpnmap 20 set security-association lifetime seconds 28800
crypto map vpnmap 20 set security-association lifetime kilobytes 4608000
!
crypto map vpnmap interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto isakmp policy 65535
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 3
!
tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 20 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
! --- END ASA 5505 (Spoke 2) Config
******************************************************