ableseaman
Technical User
Good Afternoon
Looking for some assistance with the following.
To allow some of our staff to work from home on a permanent basis we had approached a company to provide a solution that would allow site to site VPN connectivity between our Corporate Cisco ASA and the homeworkers home via ADSL. The solution they provided was to provision the homeworkers end with a Cisco 877 router, which would establish the tunnel with the ASA.
After a number of attempts by the company we managed to get a working solution. However we have encountered an issue were homworking sites can't "see" each other - we can't establish IPT calls between homeworkers, can't ping between sites, etc. Access from the homeworkers locations to our Corporate network for both voice and data is working okay.
I seem to be going round in circles with this one and its getting to the stage where if its something obvious I'm certainly missing it.........
I'm not sure if it is an access-list issue, the fact that we are routing in/out of the ASA interface, etc
Information
The homeworking sites will utilise 192.168.90.x.
i.e.
Cisco 877-1 - 192.168.90.0/29
Cisco 877-2 - 192.168.90.8/29
Cisco 877-3 - 192.168.90.16/29
etc
Our Corporate Network Subnets are;
146.116.0.0/16
10.200.0.0/16
192.168.0.0/16
192.9.0.0/16
There is a firewall in place between the Corporate network and the inside interface of the Cisco ASA. The outside Cisco ASA interface is direct to the internet.
Here is our config for our ASA;
ASA Version 8.2(3)
!
hostname vpn01
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 194.217.0.10 255.255.255.192
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.46.250 255.255.255.252
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
boot system disk0:/asa823-k8.bin
boot system disk0:/asa723-16-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.200.19.54
name-server 10.200.19.55
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 146.116.0.0 255.255.0.0 10.11.12.0 255.255.255.0
access-list NONAT extended permit ip 146.116.0.0 255.255.0.0 192.168.90.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip any 192.168.90.0 255.255.255.248
access-list outside_2_cryptomap extended permit ip any 192.168.90.8 255.255.255.248
access-list outside_3_cryptomap extended permit ip any 192.168.90.16 255.255.255.248
access-list outside_4_cryptomap extended permit ip any 192.168.90.24 255.255.255.248
access-list outside_5_cryptomap extended permit ip any 192.168.90.32 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm notifications
logging facility 23
logging queue 0
logging device-id ipaddress inside
logging host inside 10.200.38.203
logging permit-hostdown
logging class auth trap emergencies asdm informational
logging class config trap informational asdm informational
logging class session trap emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool *****VPN 10.11.12.1-10.11.12.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 146.116.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 194.217.0.17 1
route inside 10.200.0.0 255.255.0.0 192.168.46.249 1
route inside 146.116.0.0 255.255.0.0 192.168.46.249 1
route inside 172.29.81.0 255.255.255.0 192.168.46.249 1
route inside 172.29.97.0 255.255.255.0 192.168.46.249 1
route inside 192.9.0.0 255.255.0.0 192.168.46.249 1
route inside 192.168.112.0 255.255.255.0 192.168.46.249 1
route inside 192.168.114.0 255.255.255.0 192.168.46.249 1
route inside 192.168.115.0 255.255.255.0 192.168.46.249 1
route inside 192.168.116.0 255.255.255.0 192.168.46.249 1
route inside 192.168.117.0 255.255.255.0 192.168.46.249 1
route inside 192.168.118.0 255.255.255.0 192.168.46.249 1
route inside 192.168.124.0 255.255.255.128 192.168.46.249 1
route inside 192.168.126.0 255.255.255.192 192.168.46.249 1
route inside 192.168.126.64 255.255.255.192 192.168.46.249 1
route inside 192.168.127.0 255.255.255.0 192.168.46.249 1
route inside 192.168.130.0 255.255.255.0 192.168.46.249 1
route inside 192.168.131.0 255.255.255.0 192.168.46.249 1
route inside 192.168.134.0 255.255.255.128 192.168.46.249 1
route inside 192.168.139.0 255.255.255.0 192.168.46.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ***** protocol radius
aaa-server ***** (inside) host 10.200.19.186
key *****
authentication-port 1812
accounting-port 1813
aaa-server ***** (inside) host 10.200.19.187
key *****
authentication-port 1812
accounting-port 1813
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.200.0.0 255.255.0.0 inside
http 192.168.46.248 255.255.255.252 inside
http 146.116.0.0 255.255.0.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 217.155.147.246
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 82.68.190.214
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 88.97.36.121
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set nat-t-disable
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 217.155.206.199
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set nat-t-disable
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 217.155.47.195
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ThawteCA
enrollment terminal
fqdn none
keypair ThawteKey
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
keypair sslvpnkeypair
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject
keypair *******VPNKEY
crl configure
crypto ca trustpoint Verisign_SSL_Apr2011
enrollment terminal
subject-name CN=
keypair TMC-SSL-VERISIGN-KEY
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca certificate chain ThawteCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 146.116.0.0 255.255.0.0 inside
telnet 10.200.0.0 255.255.0.0 inside
telnet timeout 5
ssh 146.116.0.0 255.255.0.0 inside
ssh 10.200.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.46.249 source inside prefer
tftp-server management 10.200.58.15 C:\TFTP-Root
ssl trust-point Verisign_SSL_Apr2011 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2 regex "Linux"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy *****VPNGrpPolicy internal
group-policy *****VPNGrpPolicy attributes
wins-server value 10.200.19.54 10.200.19.55
dns-server value 10.200.19.54 10.200.19.55
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
url-list value WebApps
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn
group-policy *****IPSECVPN internal
group-policy *****IPSECVPN attributes
wins-server value 10.200.19.54 10.200.19.55
dns-server value 10.200.19.54 10.200.19.55
vpn-idle-timeout 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group *****WEBVPNGroup type remote-access
tunnel-group *****WEBVPNGroup general-attributes
address-pool *****VPN
default-group-policy *****VPNGrpPolicy
tunnel-group *****WEBVPNGroup webvpn-attributes
group-alias WebVPN enable
tunnel-group *****IPSECVPN type remote-access
tunnel-group *****IPSECVPN general-attributes
address-pool *****VPN
default-group-policy *****IPSECVPN
tunnel-group *****IPSECVPN ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group *****-ipsec type remote-access
tunnel-group *****-ipsec general-attributes
address-pool *****VPN
authentication-server-group *****
default-group-policy *****IPSECVPN
tunnel-group *****-ipsec ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group *****-sslvpn type remote-access
tunnel-group *****-sslvpn general-attributes
address-pool *****VPN
authentication-server-group *****
default-group-policy *****VPNGrpPolicy
tunnel-group *****-sslvpn webvpn-attributes
group-alias *****-ssl enable
tunnel-group 217.155.147.246 type ipsec-l2l
tunnel-group 217.155.147.246 ipsec-attributes
pre-shared-key *****
tunnel-group 82.68.190.214 type ipsec-l2l
tunnel-group 82.68.190.214 ipsec-attributes
pre-shared-key *****
tunnel-group 88.97.36.121 type ipsec-l2l
tunnel-group 88.97.36.121 ipsec-attributes
pre-shared-key *****
tunnel-group 217.155.206.199 type ipsec-l2l
tunnel-group 217.155.206.199 ipsec-attributes
pre-shared-key *****
tunnel-group 217.155.47.195 type ipsec-l2l
tunnel-group 217.155.47.195 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:63a178ea0a0b6fae2fbd0d7be9371d34
: end
Here is the config for one of our Cisco 877;
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-613712074
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-613712074
revocation-check none
rsakeypair TP-self-signed-613712074
!
!
crypto pki certificate chain TP-self-signed-613712074
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313337 31323037 34301E17 0D303230 33303130 30303935
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 33373132
30373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AF5C51BA A93DCDEA 05B40A5F EA602D0C 940526C5 A5DECC74 9454150C C2E1F603
9997CA2D 2224AD66 6230536B D7594F9C A70581D1 2075C18D 64F444EF C0E32EAC
7548C6EF 21AA79A5 3E34630F 44D7C184 8BE2A5CE 24FB188A BA4BDA5B DE113B38
3FBD9136 71DEA12A F7C91160 19E69905 A7D34E66 1286528A 2D5A349E 1EABEC83
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D
11041530 13821163 3837372E 6D6F7261 792E676F 762E756B 301F0603 551D2304
18301680 14F08452 A9366034 10DB63B1 B18F2CE3 6EF4F1FD BD301D06 03551D0E
04160414 F08452A9 36603410 DB63B1B1 8F2CE36E F4F1FDBD 300D0609 2A864886
F70D0101 04050003 8181000C C1E4E277 97BE6DF3 5F10D962 978A4799 41E99060
542069F2 389670D0 FD29F90F 54774A0E CEE4994F 92CC1605 25F7A0CE 563D375E
E61EB560 46AB0E4D 8FA0F091 C5C782A1 4457FA17 997DA7C6 B6C3B5D3 328C5A10
8D803015 747693AB EB56DECA B222F23E 08051CC2 08F9E23C 42745F51 1217A41D
3DC42394 9E93FF5A E53757
quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name moray.gov.uk
ip name-server 212.23.3.100
ip name-server 212.23.6.100
!
!
!
!
username ******* privilege 15 secret 5 **********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******************* address 194.217.0.10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.217.0.10
set peer 194.217.0.10
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.90.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ****************
ppp chap password 0 ****************
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.90.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 146.116.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 10.200.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 192.168.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 192.9.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Any assistance would be appreciated.
Able
Looking for some assistance with the following.
To allow some of our staff to work from home on a permanent basis we had approached a company to provide a solution that would allow site to site VPN connectivity between our Corporate Cisco ASA and the homeworkers home via ADSL. The solution they provided was to provision the homeworkers end with a Cisco 877 router, which would establish the tunnel with the ASA.
After a number of attempts by the company we managed to get a working solution. However we have encountered an issue were homworking sites can't "see" each other - we can't establish IPT calls between homeworkers, can't ping between sites, etc. Access from the homeworkers locations to our Corporate network for both voice and data is working okay.
I seem to be going round in circles with this one and its getting to the stage where if its something obvious I'm certainly missing it.........
I'm not sure if it is an access-list issue, the fact that we are routing in/out of the ASA interface, etc
Information
The homeworking sites will utilise 192.168.90.x.
i.e.
Cisco 877-1 - 192.168.90.0/29
Cisco 877-2 - 192.168.90.8/29
Cisco 877-3 - 192.168.90.16/29
etc
Our Corporate Network Subnets are;
146.116.0.0/16
10.200.0.0/16
192.168.0.0/16
192.9.0.0/16
There is a firewall in place between the Corporate network and the inside interface of the Cisco ASA. The outside Cisco ASA interface is direct to the internet.
Here is our config for our ASA;
ASA Version 8.2(3)
!
hostname vpn01
!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address 194.217.0.10 255.255.255.192
ospf cost 10
!
interface Ethernet0/1
speed 100
duplex full
nameif inside
security-level 100
ip address 192.168.46.250 255.255.255.252
ospf cost 10
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
no ip address
ospf cost 10
management-only
!
boot system disk0:/asa823-k8.bin
boot system disk0:/asa723-16-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.200.19.54
name-server 10.200.19.55
same-security-traffic permit intra-interface
access-list NONAT extended permit ip 146.116.0.0 255.255.0.0 10.11.12.0 255.255.255.0
access-list NONAT extended permit ip 146.116.0.0 255.255.0.0 192.168.90.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip any 192.168.90.0 255.255.255.248
access-list outside_2_cryptomap extended permit ip any 192.168.90.8 255.255.255.248
access-list outside_3_cryptomap extended permit ip any 192.168.90.16 255.255.255.248
access-list outside_4_cryptomap extended permit ip any 192.168.90.24 255.255.255.248
access-list outside_5_cryptomap extended permit ip any 192.168.90.32 255.255.255.248
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging asdm notifications
logging facility 23
logging queue 0
logging device-id ipaddress inside
logging host inside 10.200.38.203
logging permit-hostdown
logging class auth trap emergencies asdm informational
logging class config trap informational asdm informational
logging class session trap emergencies
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool *****VPN 10.11.12.1-10.11.12.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 146.116.0.0 255.255.0.0
route outside 0.0.0.0 0.0.0.0 194.217.0.17 1
route inside 10.200.0.0 255.255.0.0 192.168.46.249 1
route inside 146.116.0.0 255.255.0.0 192.168.46.249 1
route inside 172.29.81.0 255.255.255.0 192.168.46.249 1
route inside 172.29.97.0 255.255.255.0 192.168.46.249 1
route inside 192.9.0.0 255.255.0.0 192.168.46.249 1
route inside 192.168.112.0 255.255.255.0 192.168.46.249 1
route inside 192.168.114.0 255.255.255.0 192.168.46.249 1
route inside 192.168.115.0 255.255.255.0 192.168.46.249 1
route inside 192.168.116.0 255.255.255.0 192.168.46.249 1
route inside 192.168.117.0 255.255.255.0 192.168.46.249 1
route inside 192.168.118.0 255.255.255.0 192.168.46.249 1
route inside 192.168.124.0 255.255.255.128 192.168.46.249 1
route inside 192.168.126.0 255.255.255.192 192.168.46.249 1
route inside 192.168.126.64 255.255.255.192 192.168.46.249 1
route inside 192.168.127.0 255.255.255.0 192.168.46.249 1
route inside 192.168.130.0 255.255.255.0 192.168.46.249 1
route inside 192.168.131.0 255.255.255.0 192.168.46.249 1
route inside 192.168.134.0 255.255.255.128 192.168.46.249 1
route inside 192.168.139.0 255.255.255.0 192.168.46.249 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ***** protocol radius
aaa-server ***** (inside) host 10.200.19.186
key *****
authentication-port 1812
accounting-port 1813
aaa-server ***** (inside) host 10.200.19.187
key *****
authentication-port 1812
accounting-port 1813
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 10.200.0.0 255.255.0.0 inside
http 192.168.46.248 255.255.255.252 inside
http 146.116.0.0 255.255.0.0 inside
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 217.155.147.246
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 82.68.190.214
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 88.97.36.121
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 set nat-t-disable
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set peer 217.155.206.199
crypto map outside_map 4 set transform-set ESP-3DES-SHA
crypto map outside_map 4 set nat-t-disable
crypto map outside_map 5 match address outside_5_cryptomap
crypto map outside_map 5 set peer 217.155.47.195
crypto map outside_map 5 set transform-set ESP-3DES-SHA
crypto map outside_map 5 set nat-t-disable
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ThawteCA
enrollment terminal
fqdn none
keypair ThawteKey
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=
keypair sslvpnkeypair
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject
keypair *******VPNKEY
crl configure
crypto ca trustpoint Verisign_SSL_Apr2011
enrollment terminal
subject-name CN=
keypair TMC-SSL-VERISIGN-KEY
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca certificate chain ThawteCA
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet 146.116.0.0 255.255.0.0 inside
telnet 10.200.0.0 255.255.0.0 inside
telnet timeout 5
ssh 146.116.0.0 255.255.0.0 inside
ssh 10.200.0.0 255.255.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.46.249 source inside prefer
tftp-server management 10.200.58.15 C:\TFTP-Root
ssl trust-point Verisign_SSL_Apr2011 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.5.2001-k9.pkg 1
svc image disk0:/anyconnect-linux-2.5.2019-k9.pkg 2 regex "Linux"
svc enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
group-policy *****VPNGrpPolicy internal
group-policy *****VPNGrpPolicy attributes
wins-server value 10.200.19.54 10.200.19.55
dns-server value 10.200.19.54 10.200.19.55
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelall
webvpn
url-list value WebApps
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask enable default webvpn
group-policy *****IPSECVPN internal
group-policy *****IPSECVPN attributes
wins-server value 10.200.19.54 10.200.19.55
dns-server value 10.200.19.54 10.200.19.55
vpn-idle-timeout 20
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
tunnel-group *****WEBVPNGroup type remote-access
tunnel-group *****WEBVPNGroup general-attributes
address-pool *****VPN
default-group-policy *****VPNGrpPolicy
tunnel-group *****WEBVPNGroup webvpn-attributes
group-alias WebVPN enable
tunnel-group *****IPSECVPN type remote-access
tunnel-group *****IPSECVPN general-attributes
address-pool *****VPN
default-group-policy *****IPSECVPN
tunnel-group *****IPSECVPN ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group *****-ipsec type remote-access
tunnel-group *****-ipsec general-attributes
address-pool *****VPN
authentication-server-group *****
default-group-policy *****IPSECVPN
tunnel-group *****-ipsec ipsec-attributes
pre-shared-key *****
isakmp keepalive disable
tunnel-group *****-sslvpn type remote-access
tunnel-group *****-sslvpn general-attributes
address-pool *****VPN
authentication-server-group *****
default-group-policy *****VPNGrpPolicy
tunnel-group *****-sslvpn webvpn-attributes
group-alias *****-ssl enable
tunnel-group 217.155.147.246 type ipsec-l2l
tunnel-group 217.155.147.246 ipsec-attributes
pre-shared-key *****
tunnel-group 82.68.190.214 type ipsec-l2l
tunnel-group 82.68.190.214 ipsec-attributes
pre-shared-key *****
tunnel-group 88.97.36.121 type ipsec-l2l
tunnel-group 88.97.36.121 ipsec-attributes
pre-shared-key *****
tunnel-group 217.155.206.199 type ipsec-l2l
tunnel-group 217.155.206.199 ipsec-attributes
pre-shared-key *****
tunnel-group 217.155.47.195 type ipsec-l2l
tunnel-group 217.155.47.195 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect dns preset_dns_map
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:63a178ea0a0b6fae2fbd0d7be9371d34
: end
Here is the config for one of our Cisco 877;
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c877
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-613712074
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-613712074
revocation-check none
rsakeypair TP-self-signed-613712074
!
!
crypto pki certificate chain TP-self-signed-613712074
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36313337 31323037 34301E17 0D303230 33303130 30303935
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3631 33373132
30373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AF5C51BA A93DCDEA 05B40A5F EA602D0C 940526C5 A5DECC74 9454150C C2E1F603
9997CA2D 2224AD66 6230536B D7594F9C A70581D1 2075C18D 64F444EF C0E32EAC
7548C6EF 21AA79A5 3E34630F 44D7C184 8BE2A5CE 24FB188A BA4BDA5B DE113B38
3FBD9136 71DEA12A F7C91160 19E69905 A7D34E66 1286528A 2D5A349E 1EABEC83
02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D
11041530 13821163 3837372E 6D6F7261 792E676F 762E756B 301F0603 551D2304
18301680 14F08452 A9366034 10DB63B1 B18F2CE3 6EF4F1FD BD301D06 03551D0E
04160414 F08452A9 36603410 DB63B1B1 8F2CE36E F4F1FDBD 300D0609 2A864886
F70D0101 04050003 8181000C C1E4E277 97BE6DF3 5F10D962 978A4799 41E99060
542069F2 389670D0 FD29F90F 54774A0E CEE4994F 92CC1605 25F7A0CE 563D375E
E61EB560 46AB0E4D 8FA0F091 C5C782A1 4457FA17 997DA7C6 B6C3B5D3 328C5A10
8D803015 747693AB EB56DECA B222F23E 08051CC2 08F9E23C 42745F51 1217A41D
3DC42394 9E93FF5A E53757
quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name moray.gov.uk
ip name-server 212.23.3.100
ip name-server 212.23.6.100
!
!
!
!
username ******* privilege 15 secret 5 **********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ******************* address 194.217.0.10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to194.217.0.10
set peer 194.217.0.10
set transform-set ESP-3DES-SHA
match address 100
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.90.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ****************
ppp chap password 0 ****************
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.90.0 0.0.0.7
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 146.116.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 10.200.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 192.168.0.0 0.0.255.255
access-list 100 remark ipsec rule
access-list 100 permit ip 192.168.90.0 0.0.0.7 192.9.0.0 0.0.255.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Any assistance would be appreciated.
Able
