I have been trying many different ways to get this to work but have been unable to. After 8 hours I literally have a headache and have to step away for a minute. I just realized I needed to ping between the tunnels to bring it up but still am unable to. Can anyone take a look and tell me where i've gone wrong? Im trying to configure a site to site vpn betwen :
ASA_A
outside interface 5.179.17.66
inside interface 10.1.1.1
ASA B
outside interface 5.81.57.19
inside interface 10.1.2.1
here is what I hav configured so far...
site a
: Saved
:
ASA Version 7.2(4)
!
hostname SCIRV
domain-name funhats.com
enable password m9s5QcvdLLwFT/UA encrypted
passwd Sf7wuwyZwIFZTTgv encrypted
names
name 5.179.17.71 IIS2_Flash_Gateway description iPoster Web Server
name 5.179.17.72 IIS2_HOC_Admin description iPoster Admin Website
name 5.179.17.73 IIS2_ILOGIX
name 5.179.17.74 IIS2_SCI description Corporate Website
name 5.202.10.224 SSSPDataCenter
name 5.81.57.190 santaana
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 5.179.17.66 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
speed 100
duplex full
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
speed 100
duplex full
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name funhats.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list FromOut extended permit icmp any any
access-list FromOut extended permit tcp any host IIS2_Flash_Gateway eq disable
access-list FromOut extended permit tcp any host IIS2_Flash_Gateway eq https log disable
access-list FromOut extended permit tcp any host IIS2_HOC_Admin eq disable
access-list FromOut extended permit tcp any host IIS2_HOC_Admin eq https log disable
access-list FromOut extended permit tcp any host IIS2_ILOGIX eq disable
access-list FromOut extended permit tcp any host IIS2_ILOGIX eq https log disable
access-list FromOut extended permit tcp any host IIS2_SCI eq www
access-list FromOut extended permit tcp any host IIS2_SCI eq https
access-list FromOut extended permit tcp SSSPDataCenter 255.255.255.224 interface outside
access-list FromOut extended permit ip host santaana interface outside
access-list FromOut extended permit tcp host 72.190.52.217 interface outside
access-list FromOut extended permit tcp host 72.190.52.217 host 208.179.17.66 eq www
access-list FromOut extended permit tcp host 72.190.52.217 any
access-list FromIn extended permit icmp any any
access-list FromIn extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list FromIn extended permit ip 10.1.1.0 255.255.255.0 any
access-list ilvpn7505_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat remark ****** NAT ACL ******
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0
pager lines 40
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ilvpn 10.1.1.100-10.1.1.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 3600
nat-control
global (outside) 1 interface
global (outside) 1 5.179.17.99
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
static (inside,outside) IIS2_Flash_Gateway 10.1.1.51 netmask 255.255.255.255
static (inside,outside) IIS2_HOC_Admin 10.1.1.52 netmask 255.255.255.255
static (inside,outside) IIS2_ILOGIX 10.1.1.53 netmask 255.255.255.255
static (inside,outside) IIS2_SCI 10.1.1.54 netmask 255.255.255.255
access-group FromIn in interface inside
access-group FromOut in interface outside
route outside 0.0.0.0 0.0.0.0 5.179.121.65 1
route outside 0.0.0.0 0.0.0.0 5.179.17.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 72.190.52.217 255.255.255.255 outside
http SSSPDataCenter 255.255.255.224 outside
http 99.89.50.51 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set md5 esp-3des esp-md5-hmac
crypto ipsec transform-set sha esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map dynmap 10 set transform-set md5
crypto dynamic-map dynmap 30 set pfs group1
crypto dynamic-map dynmap 30 set transform-set sha
crypto dynamic-map dynmap 50 set pfs group1
crypto dynamic-map dynmap 50 set transform-set sha
crypto dynamic-map dynmap 70 set pfs group1
crypto dynamic-map dynmap 70 set transform-set sha
crypto dynamic-map dynmap 90 set pfs group1
crypto dynamic-map dynmap 90 set transform-set sha
crypto dynamic-map dynmap 110 set pfs group1
crypto dynamic-map dynmap 110 set transform-set sha
crypto dynamic-map dynmap 130 set pfs group1
crypto dynamic-map dynmap 130 set transform-set sha
crypto dynamic-map dynmap 150 set pfs group1
crypto dynamic-map dynmap 150 set transform-set sha
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer santaana
crypto map outside_map 1 set transform-set sha
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.3.1.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 99.89.50.51 255.255.255.255 outside
ssh SSSPDataCenter 255.255.255.224 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 216.116.96.2 216.116.96.3
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain sorrentocapital.com
dhcpd auto_config outside
!
dhcpd address 10.1.1.211-10.1.1.250 inside
dhcpd enable inside
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ilvpn7505 internal
group-policy ilvpn7505 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
username sciadmin password RjJaLFwUPrAl6mMx encrypted privilege 15
username ahedges password qrkHIA.7j6CIlp0b encrypted privilege 15
username ahedges attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
group-lock none
tunnel-group ilvpn7505 type ipsec-ra
tunnel-group ilvpn7505 general-attributes
address-pool ilvpn
default-group-policy ilvpn7505
tunnel-group ilvpn7505 ipsec-attributes
pre-shared-key *
tunnel-group 5.81.57.190 type ipsec-l2l
tunnel-group 5.81.57.190 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:e13fd243de7aee0f38ad2eeb84e35264
: end
asdm image disk0:/asdm-524.bin
asdm location IIS2_Flash_Gateway 255.255.255.255 inside
asdm location IIS2_SCI 255.255.255.255 inside
no asdm history enable
Site B
: Saved
:
ASA Version 8.2(5)
!
hostname SOR-SAN-CA-ASA
enable password uYCZ07tmXaL6PwPT encrypted
passwd uYCZ07tmXaL6PwPT encrypted
names
name 5.202.10.224 SSSPRemoteAccess description 3SP Data Center
name 10.1.1.0 Inside-irvine description Irvine Inside subnet
name 5.179.17.66 irvineOutside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 5.81.57.190 255.255.255.240
!
banner exec UnAuthorized Access Prohibited!
banner login UnAuthorized Access Prohibited!
banner motd UnAuthorized Access Prohibited!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 Inside-irvine 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 Inside-irvine 255.255.255.0
access-list outside_access_in extended permit ip host irvineOutside interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.2.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 5.81.57.177 1
route outside Inside-irvine 255.255.255.0 5.179.17.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.2.1.0 255.255.255.0 inside
http SSSPRemoteAccess 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer irvineOutside
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SOR-SAN-CA-ASA
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.2.1.0 255.255.255.0 inside
telnet timeout 5
ssh SSSPRemoteAccess 255.255.255.224 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.1.100-10.2.1.199 inside
dhcpd dns 216.81.55.55 216.81.56.56 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password BSnkFE/8/YRHEcYV encrypted
tunnel-group 5.179.17.66 type ipsec-l2l
tunnel-group 5.179.17.66 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6e6259fbeaf3bdaf1bbb01e31970473e
: end
asdm location SSSPRemoteAccess 255.255.255.224 inside
asdm location Inside-irvine 255.255.255.0 inside
asdm location irvineOutside 255.255.255.255 inside
no asdm history enable
ASA_A
outside interface 5.179.17.66
inside interface 10.1.1.1
ASA B
outside interface 5.81.57.19
inside interface 10.1.2.1
here is what I hav configured so far...
site a
: Saved
:
ASA Version 7.2(4)
!
hostname SCIRV
domain-name funhats.com
enable password m9s5QcvdLLwFT/UA encrypted
passwd Sf7wuwyZwIFZTTgv encrypted
names
name 5.179.17.71 IIS2_Flash_Gateway description iPoster Web Server
name 5.179.17.72 IIS2_HOC_Admin description iPoster Admin Website
name 5.179.17.73 IIS2_ILOGIX
name 5.179.17.74 IIS2_SCI description Corporate Website
name 5.202.10.224 SSSPDataCenter
name 5.81.57.190 santaana
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 5.179.17.66 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
speed 100
duplex full
!
interface Ethernet0/2
speed 100
duplex full
!
interface Ethernet0/3
speed 100
duplex full
!
interface Ethernet0/4
speed 100
duplex full
!
interface Ethernet0/5
speed 100
duplex full
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name funhats.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list FromOut extended permit icmp any any
access-list FromOut extended permit tcp any host IIS2_Flash_Gateway eq disable
access-list FromOut extended permit tcp any host IIS2_Flash_Gateway eq https log disable
access-list FromOut extended permit tcp any host IIS2_HOC_Admin eq disable
access-list FromOut extended permit tcp any host IIS2_HOC_Admin eq https log disable
access-list FromOut extended permit tcp any host IIS2_ILOGIX eq disable
access-list FromOut extended permit tcp any host IIS2_ILOGIX eq https log disable
access-list FromOut extended permit tcp any host IIS2_SCI eq www
access-list FromOut extended permit tcp any host IIS2_SCI eq https
access-list FromOut extended permit tcp SSSPDataCenter 255.255.255.224 interface outside
access-list FromOut extended permit ip host santaana interface outside
access-list FromOut extended permit tcp host 72.190.52.217 interface outside
access-list FromOut extended permit tcp host 72.190.52.217 host 208.179.17.66 eq www
access-list FromOut extended permit tcp host 72.190.52.217 any
access-list FromIn extended permit icmp any any
access-list FromIn extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list FromIn extended permit ip 10.1.1.0 255.255.255.0 any
access-list ilvpn7505_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list nonat remark ****** NAT ACL ******
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.1.0 255.255.255.0
pager lines 40
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ilvpn 10.1.1.100-10.1.1.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 3600
nat-control
global (outside) 1 interface
global (outside) 1 5.179.17.99
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.1.1.0 255.255.255.0
static (inside,outside) IIS2_Flash_Gateway 10.1.1.51 netmask 255.255.255.255
static (inside,outside) IIS2_HOC_Admin 10.1.1.52 netmask 255.255.255.255
static (inside,outside) IIS2_ILOGIX 10.1.1.53 netmask 255.255.255.255
static (inside,outside) IIS2_SCI 10.1.1.54 netmask 255.255.255.255
access-group FromIn in interface inside
access-group FromOut in interface outside
route outside 0.0.0.0 0.0.0.0 5.179.121.65 1
route outside 0.0.0.0 0.0.0.0 5.179.17.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 72.190.52.217 255.255.255.255 outside
http SSSPDataCenter 255.255.255.224 outside
http 99.89.50.51 255.255.255.255 outside
http 10.1.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set md5 esp-3des esp-md5-hmac
crypto ipsec transform-set sha esp-3des esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto dynamic-map dynmap 10 set transform-set md5
crypto dynamic-map dynmap 30 set pfs group1
crypto dynamic-map dynmap 30 set transform-set sha
crypto dynamic-map dynmap 50 set pfs group1
crypto dynamic-map dynmap 50 set transform-set sha
crypto dynamic-map dynmap 70 set pfs group1
crypto dynamic-map dynmap 70 set transform-set sha
crypto dynamic-map dynmap 90 set pfs group1
crypto dynamic-map dynmap 90 set transform-set sha
crypto dynamic-map dynmap 110 set pfs group1
crypto dynamic-map dynmap 110 set transform-set sha
crypto dynamic-map dynmap 130 set pfs group1
crypto dynamic-map dynmap 130 set transform-set sha
crypto dynamic-map dynmap 150 set pfs group1
crypto dynamic-map dynmap 150 set transform-set sha
crypto map mymap 1000 ipsec-isakmp dynamic dynmap
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer santaana
crypto map outside_map 1 set transform-set sha
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.3.1.0 255.255.255.0 inside
telnet 10.1.1.0 255.255.255.0 inside
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh 99.89.50.51 255.255.255.255 outside
ssh SSSPDataCenter 255.255.255.224 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 216.116.96.2 216.116.96.3
dhcpd lease 86400
dhcpd ping_timeout 750
dhcpd domain sorrentocapital.com
dhcpd auto_config outside
!
dhcpd address 10.1.1.211-10.1.1.250 inside
dhcpd enable inside
!
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 10
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy ilvpn7505 internal
group-policy ilvpn7505 attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list none
username sciadmin password RjJaLFwUPrAl6mMx encrypted privilege 15
username ahedges password qrkHIA.7j6CIlp0b encrypted privilege 15
username ahedges attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
group-lock none
tunnel-group ilvpn7505 type ipsec-ra
tunnel-group ilvpn7505 general-attributes
address-pool ilvpn
default-group-policy ilvpn7505
tunnel-group ilvpn7505 ipsec-attributes
pre-shared-key *
tunnel-group 5.81.57.190 type ipsec-l2l
tunnel-group 5.81.57.190 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command uauth
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
Cryptochecksum:e13fd243de7aee0f38ad2eeb84e35264
: end
asdm image disk0:/asdm-524.bin
asdm location IIS2_Flash_Gateway 255.255.255.255 inside
asdm location IIS2_SCI 255.255.255.255 inside
no asdm history enable
Site B
: Saved
:
ASA Version 8.2(5)
!
hostname SOR-SAN-CA-ASA
enable password uYCZ07tmXaL6PwPT encrypted
passwd uYCZ07tmXaL6PwPT encrypted
names
name 5.202.10.224 SSSPRemoteAccess description 3SP Data Center
name 10.1.1.0 Inside-irvine description Irvine Inside subnet
name 5.179.17.66 irvineOutside
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.2.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 5.81.57.190 255.255.255.240
!
banner exec UnAuthorized Access Prohibited!
banner login UnAuthorized Access Prohibited!
banner motd UnAuthorized Access Prohibited!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list outside_1_cryptomap extended permit ip 10.1.2.0 255.255.255.0 Inside-irvine 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.2.0 255.255.255.0 Inside-irvine 255.255.255.0
access-list outside_access_in extended permit ip host irvineOutside interface outside
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.2.1.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 5.81.57.177 1
route outside Inside-irvine 255.255.255.0 5.179.17.166 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.2.1.0 255.255.255.0 inside
http SSSPRemoteAccess 255.255.255.224 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer irvineOutside
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SOR-SAN-CA-ASA
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 10.2.1.0 255.255.255.0 inside
telnet timeout 5
ssh SSSPRemoteAccess 255.255.255.224 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.2.1.100-10.2.1.199 inside
dhcpd dns 216.81.55.55 216.81.56.56 interface inside
dhcpd lease 28800 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password BSnkFE/8/YRHEcYV encrypted
tunnel-group 5.179.17.66 type ipsec-l2l
tunnel-group 5.179.17.66 ipsec-attributes
pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6e6259fbeaf3bdaf1bbb01e31970473e
: end
asdm location SSSPRemoteAccess 255.255.255.224 inside
asdm location Inside-irvine 255.255.255.0 inside
asdm location irvineOutside 255.255.255.255 inside
no asdm history enable