OldNWHacker
Technical User
Hello.
I am setting up some new equipment and can't seem to understand why traffic won't flow in the
vpn-tunnel when using a Cisco 851W router at the remote offices.
(Everything is currently in a test environment btw)
I have worked with Cisco Pixes v6.x for a while, not ASA's until this 5510, and IOS-routers is many
years ago since last time I met with one, so the 851W's are almost entirely configured with SDM,
and configuring Cisco NAT always makes me having to concentrate more than normal as I mix things up..
We have 1 HQ ASA5510, 3 851W IOS routers and 1 Pix501.
The 4 small ones will connect to the bigger ASA5510.
Symptomwise with the configurations shown below, the Pix501 can connect successfully to the ASA5510,
and traffic flows nicely in the vpn-tunnel - we can ping the HQ lan etc.
But when pinging from the inside of a 851W to the HQ lan it doesn't work,
still the vpn (IKE) tunnel is indicated as up, as the ASA5510's ASDM log buffers show both phase 1 and
phase 2 as successful.
Also, when I used 2 Pix501's for testing purposes as remotes, both of them connected nicely to the ASA5510,
and were able to ping HQ lan etc.
Of possible interest might be that when connecting with the 851W's as compared to connecting with a Pix501,
one additional entry shows up in the ASA5510's log right after "phase 2 completed": "internal error in
es_PostEvent: event argument tag is unknown".
I noticed that the 851W was sensitive to the ASA5510's command "password-storage enable" as it wouldn't
establish an automatic vpn-tunnel without it being present, whereas the Pix501 didn't care.
Also when using the ASA5510 ASDM packet tracer, I can follow a ping from HQ lan to a remote lan, and as far
as ASDM packet tracer knows the last hop is the remotes external ip, so the ASA5510 feels kind of correct
in that aspect ?
Here is the layout, and we are hoping to use Easy VPN for these small remotes:
(We will be implementing a non Easy VPN ipsec tunnel later with another Pix515, but I'm not there yet.)
remote1 851w -> hq asa5510
remote2 851w -> hq asa5510
remote3 851w -> hq asa5510
remote4 pix501 -> hq asa5510
Versionwise it looks like this:
ASA5510: ASA v7.2(1). ASDM v5.2(1)
PIX501: v6.3(5)
851W: IOS v12.4-4 T3 Adv Sec. SDM v2.3.2
Can anyone shed some light on this dilemma ?
I'm at quite a loss as to why it behaves like this.
We have Smartnets for all of the machines, perhaps Cisco support is a way to go otherwise. Any opinions on that
?
Thanks for your time !
/Hakan
Configs:
HQ ASA5510
--------------------------------
--------------------------------
ASA Version 7.2(1)
!
hostname HQ
domain-name domain.com
enable password hello
names
name 10.21.11.10 MAIL-DMZ
name 66.66.66.67 MAIL-OUT
name 10.21.11.11 APP1-DMZ
name 66.66.66.68 APP1-OUT
name 62.62.62.62 APPSRV1
name 194.52.120.2 SRV1-IN
name 62.20.60.210 SRV1-OUT
name 194.52.120.0 HQ_LAN
name 10.21.11.0 DMZ_LAN
name 10.21.12.0 REMOTE1_LAN
name 10.21.12.32 REMOTE2_LAN
name 10.21.12.64 REMOTE3_LAN
name 10.21.12.96 REMOTE4_LAN
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 194.52.120.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.21.11.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 66.66.66.66 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.99.1.1 255.255.255.0
management-only
!
passwd hello
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name domain.com
object-group service APP1_TCP tcp
description Application1_ports
port-object range 2000 2050
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host MAIL-OUT eq smtp
access-list outside_access_in extended permit tcp host APPSRV1 host APP1-OUT object-group APP1_TCP
access-list inside_access_in extended permit ip HQ_LAN 255.255.255.0 any
access-list dmz_access_in extended permit icmp DMZ_LAN 255.255.255.0 any
access-list dmz_access_in extended permit tcp host MAIL-DMZ host SRV1-IN eq smtp
access-list dmz_access_in extended permit ip host APP1-DMZ host SRV1-IN
access-list dmz_access_in extended deny ip DMZ_LAN 255.255.255.0 HQ_LAN 255.255.255.0
access-list dmz_access_in extended permit ip DMZ_LAN 255.255.255.0 any
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE4_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE1_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE2_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE3_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE4_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE1_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE2_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE3_LAN 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu management 1500
icmp permit any echo outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 HQ_LAN 255.255.255.0
static (inside,outside) SRV1-OUT SRV1-IN netmask 255.255.255.255
static (inside,dmz) HQ_LAN HQ_LAN netmask 255.255.255.0
static (dmz,inside) DMZ_LAN DMZ_LAN netmask 255.255.255.0
static (dmz,outside) MAIL-OUT MAIL-DMZ netmask 255.255.255.255
static (dmz,outside) APP1-OUT APP1-DMZ netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.66.66.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy EasyPol internal
group-policy EasyPol attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
username remote1 password pass1
username remote1 attributes
vpn-group-policy EasyPol
username remote2 password pass2
username remote2 attributes
vpn-group-policy EasyPol
username remote3 password pass3
username remote3 attributes
vpn-group-policy EasyPol
username remote4 password pass4
username remote4 attributes
vpn-group-policy EasyPol
http server enable
http HQ_LAN 255.255.255.0 inside
http 10.99.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANSY esp-3des esp-sha-hmac
crypto dynamic-map DYNDYN-MAP 5 set transform-set TRANSY
crypto map CORPMAP 60 ipsec-isakmp dynamic DYNDYN-MAP
crypto map CORPMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
default-group-policy EasyPol
tunnel-group EasyVPN ipsec-attributes
pre-shared-key brandbil
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.36.134.17 source outside
prompt hostname context
: end
--------------------------------
--------------------------------
--------------------------------
REMOTE 851W
--------------------------------
--------------------------------
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname remote1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 informational
logging console critical
enable secret 5 $1$FXfO$6tsrUV4yrHgQ7CibxX//b1
!
no aaa new-model
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.21.12.1 10.21.12.14
!
ip dhcp pool sdm-pool1
import all
network 10.21.12.0 255.255.255.224
dns-server 66.66.66.102
default-router 10.21.12.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2535574671
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2535574671
revocation-check none
rsakeypair TP-self-signed-2535574671
!
!
crypto pki certificate chain TP-self-signed-2535574671
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353335 35373436 3731301E 170D3032 30333031 30303239
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35333535
37343637 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BF58 BD856959 8FEAB13D 6804A089 8458C4A3 962EEEAF 872DC3CD 1D9B673C
83AEF49B 7276A343 C2B206E5 473D3AAC 9BBB1387 832063C0 5C4B8314 8A5A3CFF
2B2671F0 8B78254A BE3CBBE1 43D0BB68 933EB20C 879090D5 491B0B70 E7021A56
9B383591 040707D5 FE9ADA4B E767D301 DE699A95 94CB5E44 E137C563 77C5C91E
CA0B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15636C61 65732E68 6176612D 736B796C 7461722E 7365301F
0603551D 23041830 168014D0 77BB6D5A B1EDE041 9917A024 F11B5BD3 4FC53230
1D060355 1D0E0416 0414D077 BB6D5AB1 EDE04199 17A024F1 1B5BD34F C532300D
06092A86 4886F70D 01010405 00038181 00A03289 124E47D2 CB84B5F6 C3422302
E13B2D74 5336BA7E 242090A1 7581970B E89A3A5F 0C4036BB 3724A842 8FC12493
394636E1 61B26D5E 84E587A7 006AD078 DC2BD480 2B68BCD7 BB296CCF BC748E73
AAE5CFE7 263800F8 9FEB8FD4 0E6B9F02 637BFF51 D7B97E14 E6183738 EA89D919
E088D659 339A1971 95C80367 D20B3DF7 BF
quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
!
!
crypto ipsec client ezvpn EasyVPN
connect auto
group EasyVPN key brandbil
mode network-extension
peer 66.66.66.66
username remote1 password pass1
xauth userid mode local
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn EasyVPN
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 776111AF6E07463679161E84754A transmit-key
encryption mode wep mandatory
!
ssid hv1
authentication open
wpa-psk hex 7 AABB7233006168665644124B9E35145D321123879F0BF248344C1058867E381848
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.21.12.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto ipsec client ezvpn EasyVPN inside
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.21.12.0 0.0.0.31
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) EasyVPN
access-list 101 permit esp host 66.66.66.66 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) EasyVPN
access-list 101 permit ahp host 66.66.66.66 any
access-list 101 permit udp host 192.36.134.17 any eq ntp
access-list 101 permit udp host 66.66.66.102 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.21.12.0 0.0.0.31 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179036
ntp server 192.36.134.17 source FastEthernet4
end
--------------------------------
--------------------------------
--------------------------------
REMOTE PIX501
--------------------------------
--------------------------------
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hello
passwd hello
hostname remote1
domain-name domain.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUTGOING permit ip any any
access-list OUTGOING permit icmp any any
access-list INCOMING permit icmp any any echo-reply
access-list INCOMING permit icmp any any unreachable
access-list INCOMING permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.21.12.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 10.21.12.0 255.255.255.224 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTGOING in interface inside
access-group INCOMING in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.36.134.17 source outside
http server enable
http 10.21.12.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.21.12.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 66.66.66.66
vpnclient mode network-extension-mode
vpnclient vpngroup EasyVPN password brandbil
vpnclient username remote1 password pass1
vpnclient enable
dhcpd address 10.21.12.15-10.21.12.29 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
--------------------------------
--------------------------------
--------------------------------
I am setting up some new equipment and can't seem to understand why traffic won't flow in the
vpn-tunnel when using a Cisco 851W router at the remote offices.
(Everything is currently in a test environment btw)
I have worked with Cisco Pixes v6.x for a while, not ASA's until this 5510, and IOS-routers is many
years ago since last time I met with one, so the 851W's are almost entirely configured with SDM,
and configuring Cisco NAT always makes me having to concentrate more than normal as I mix things up..
We have 1 HQ ASA5510, 3 851W IOS routers and 1 Pix501.
The 4 small ones will connect to the bigger ASA5510.
Symptomwise with the configurations shown below, the Pix501 can connect successfully to the ASA5510,
and traffic flows nicely in the vpn-tunnel - we can ping the HQ lan etc.
But when pinging from the inside of a 851W to the HQ lan it doesn't work,
still the vpn (IKE) tunnel is indicated as up, as the ASA5510's ASDM log buffers show both phase 1 and
phase 2 as successful.
Also, when I used 2 Pix501's for testing purposes as remotes, both of them connected nicely to the ASA5510,
and were able to ping HQ lan etc.
Of possible interest might be that when connecting with the 851W's as compared to connecting with a Pix501,
one additional entry shows up in the ASA5510's log right after "phase 2 completed": "internal error in
es_PostEvent: event argument tag is unknown".
I noticed that the 851W was sensitive to the ASA5510's command "password-storage enable" as it wouldn't
establish an automatic vpn-tunnel without it being present, whereas the Pix501 didn't care.
Also when using the ASA5510 ASDM packet tracer, I can follow a ping from HQ lan to a remote lan, and as far
as ASDM packet tracer knows the last hop is the remotes external ip, so the ASA5510 feels kind of correct
in that aspect ?
Here is the layout, and we are hoping to use Easy VPN for these small remotes:
(We will be implementing a non Easy VPN ipsec tunnel later with another Pix515, but I'm not there yet.)
remote1 851w -> hq asa5510
remote2 851w -> hq asa5510
remote3 851w -> hq asa5510
remote4 pix501 -> hq asa5510
Versionwise it looks like this:
ASA5510: ASA v7.2(1). ASDM v5.2(1)
PIX501: v6.3(5)
851W: IOS v12.4-4 T3 Adv Sec. SDM v2.3.2
Can anyone shed some light on this dilemma ?
I'm at quite a loss as to why it behaves like this.
We have Smartnets for all of the machines, perhaps Cisco support is a way to go otherwise. Any opinions on that
?
Thanks for your time !
/Hakan
Configs:
HQ ASA5510
--------------------------------
--------------------------------
ASA Version 7.2(1)
!
hostname HQ
domain-name domain.com
enable password hello
names
name 10.21.11.10 MAIL-DMZ
name 66.66.66.67 MAIL-OUT
name 10.21.11.11 APP1-DMZ
name 66.66.66.68 APP1-OUT
name 62.62.62.62 APPSRV1
name 194.52.120.2 SRV1-IN
name 62.20.60.210 SRV1-OUT
name 194.52.120.0 HQ_LAN
name 10.21.11.0 DMZ_LAN
name 10.21.12.0 REMOTE1_LAN
name 10.21.12.32 REMOTE2_LAN
name 10.21.12.64 REMOTE3_LAN
name 10.21.12.96 REMOTE4_LAN
dns-guard
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 194.52.120.1 255.255.255.0
!
interface Ethernet0/1
nameif dmz
security-level 50
ip address 10.21.11.1 255.255.255.0
!
interface Ethernet0/2
nameif outside
security-level 0
ip address 66.66.66.66 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 10.99.1.1 255.255.255.0
management-only
!
passwd hello
boot system disk0:/asa721-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name domain.com
object-group service APP1_TCP tcp
description Application1_ports
port-object range 2000 2050
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit tcp any host MAIL-OUT eq smtp
access-list outside_access_in extended permit tcp host APPSRV1 host APP1-OUT object-group APP1_TCP
access-list inside_access_in extended permit ip HQ_LAN 255.255.255.0 any
access-list dmz_access_in extended permit icmp DMZ_LAN 255.255.255.0 any
access-list dmz_access_in extended permit tcp host MAIL-DMZ host SRV1-IN eq smtp
access-list dmz_access_in extended permit ip host APP1-DMZ host SRV1-IN
access-list dmz_access_in extended deny ip DMZ_LAN 255.255.255.0 HQ_LAN 255.255.255.0
access-list dmz_access_in extended permit ip DMZ_LAN 255.255.255.0 any
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE4_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE1_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE2_LAN 255.255.255.224
access-list no-nat extended permit ip HQ_LAN 255.255.255.0 REMOTE3_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE4_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE1_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE2_LAN 255.255.255.224
access-list ezvpn1 extended permit ip HQ_LAN 255.255.255.0 REMOTE3_LAN 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu dmz 1500
mtu outside 1500
mtu management 1500
icmp permit any echo outside
asdm image disk0:/asdm521.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 HQ_LAN 255.255.255.0
static (inside,outside) SRV1-OUT SRV1-IN netmask 255.255.255.255
static (inside,dmz) HQ_LAN HQ_LAN netmask 255.255.255.0
static (dmz,inside) DMZ_LAN DMZ_LAN netmask 255.255.255.0
static (dmz,outside) MAIL-OUT MAIL-DMZ netmask 255.255.255.255
static (dmz,outside) APP1-OUT APP1-DMZ netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 66.66.66.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy EasyPol internal
group-policy EasyPol attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn1
nem enable
username remote1 password pass1
username remote1 attributes
vpn-group-policy EasyPol
username remote2 password pass2
username remote2 attributes
vpn-group-policy EasyPol
username remote3 password pass3
username remote3 attributes
vpn-group-policy EasyPol
username remote4 password pass4
username remote4 attributes
vpn-group-policy EasyPol
http server enable
http HQ_LAN 255.255.255.0 inside
http 10.99.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANSY esp-3des esp-sha-hmac
crypto dynamic-map DYNDYN-MAP 5 set transform-set TRANSY
crypto map CORPMAP 60 ipsec-isakmp dynamic DYNDYN-MAP
crypto map CORPMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group EasyVPN type ipsec-ra
tunnel-group EasyVPN general-attributes
default-group-policy EasyPol
tunnel-group EasyVPN ipsec-attributes
pre-shared-key brandbil
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ntp server 192.36.134.17 source outside
prompt hostname context
: end
--------------------------------
--------------------------------
--------------------------------
REMOTE 851W
--------------------------------
--------------------------------
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname remote1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 informational
logging console critical
enable secret 5 $1$FXfO$6tsrUV4yrHgQ7CibxX//b1
!
no aaa new-model
!
resource policy
!
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.21.12.1 10.21.12.14
!
ip dhcp pool sdm-pool1
import all
network 10.21.12.0 255.255.255.224
dns-server 66.66.66.102
default-router 10.21.12.1
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name domain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2535574671
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2535574671
revocation-check none
rsakeypair TP-self-signed-2535574671
!
!
crypto pki certificate chain TP-self-signed-2535574671
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353335 35373436 3731301E 170D3032 30333031 30303239
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35333535
37343637 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BF58 BD856959 8FEAB13D 6804A089 8458C4A3 962EEEAF 872DC3CD 1D9B673C
83AEF49B 7276A343 C2B206E5 473D3AAC 9BBB1387 832063C0 5C4B8314 8A5A3CFF
2B2671F0 8B78254A BE3CBBE1 43D0BB68 933EB20C 879090D5 491B0B70 E7021A56
9B383591 040707D5 FE9ADA4B E767D301 DE699A95 94CB5E44 E137C563 77C5C91E
CA0B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15636C61 65732E68 6176612D 736B796C 7461722E 7365301F
0603551D 23041830 168014D0 77BB6D5A B1EDE041 9917A024 F11B5BD3 4FC53230
1D060355 1D0E0416 0414D077 BB6D5AB1 EDE04199 17A024F1 1B5BD34F C532300D
06092A86 4886F70D 01010405 00038181 00A03289 124E47D2 CB84B5F6 C3422302
E13B2D74 5336BA7E 242090A1 7581970B E89A3A5F 0C4036BB 3724A842 8FC12493
394636E1 61B26D5E 84E587A7 006AD078 DC2BD480 2B68BCD7 BB296CCF BC748E73
AAE5CFE7 263800F8 9FEB8FD4 0E6B9F02 637BFF51 D7B97E14 E6183738 EA89D919
E088D659 339A1971 95C80367 D20B3DF7 BF
quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
!
!
crypto ipsec client ezvpn EasyVPN
connect auto
group EasyVPN key brandbil
mode network-extension
peer 66.66.66.66
username remote1 password pass1
xauth userid mode local
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn EasyVPN
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 776111AF6E07463679161E84754A transmit-key
encryption mode wep mandatory
!
ssid hv1
authentication open
wpa-psk hex 7 AABB7233006168665644124B9E35145D321123879F0BF248344C1058867E381848
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.21.12.1 255.255.255.224
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
crypto ipsec client ezvpn EasyVPN inside
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.21.12.0 0.0.0.31
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) EasyVPN
access-list 101 permit udp host 66.66.66.66 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) EasyVPN
access-list 101 permit esp host 66.66.66.66 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) EasyVPN
access-list 101 permit ahp host 66.66.66.66 any
access-list 101 permit udp host 192.36.134.17 any eq ntp
access-list 101 permit udp host 66.66.66.102 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.21.12.0 0.0.0.31 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17179036
ntp server 192.36.134.17 source FastEthernet4
end
--------------------------------
--------------------------------
--------------------------------
REMOTE PIX501
--------------------------------
--------------------------------
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password hello
passwd hello
hostname remote1
domain-name domain.com
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list OUTGOING permit ip any any
access-list OUTGOING permit icmp any any
access-list INCOMING permit icmp any any echo-reply
access-list INCOMING permit icmp any any unreachable
access-list INCOMING permit icmp any any time-exceeded
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 10.21.12.1 255.255.255.224
ip audit info action alarm
ip audit attack action alarm
pdm location 10.21.12.0 255.255.255.224 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group OUTGOING in interface inside
access-group INCOMING in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
ntp server 192.36.134.17 source outside
http server enable
http 10.21.12.0 255.255.255.224 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.21.12.0 255.255.255.224 inside
telnet timeout 5
ssh timeout 5
console timeout 0
vpnclient server 66.66.66.66
vpnclient mode network-extension-mode
vpnclient vpngroup EasyVPN password brandbil
vpnclient username remote1 password pass1
vpnclient enable
dhcpd address 10.21.12.15-10.21.12.29 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
--------------------------------
--------------------------------
--------------------------------