Hi Everyone,
I seem to be having silly issue connecting two ASA 5510 using Site to Site. Can someone take a look at my configs and tell me what I'm missing. I'm new to Site to Site configs, since the owner always prefer to run everything from the office.
Thanks in advance.
Colocation
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)9
!
hostname ASA1
domain-name Local.Local
enable password LCOOk3qmGBPxgD7e encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.11.1 255.255.255.0
!
boot system disk0:/asa822-9-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server x.x.x.61
name-server x.x.x.45
domain-name Local.Local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Cisco_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list Cisco_splitTunnelAcl standard permit 10.10.12.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq www
access-list IPSecVPN_splitTunnelAcl standard permit 10.10.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no_nat extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list IPSecVPN extended permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list nonat extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list vpnremot extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list outbound extended permit tcp any any eq ssh
access-list outbound extended permit tcp any any eq www
access-list outside-inbound extended permit tcp any any eq ssh
access-list outside-inbound extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit tcp any any eq ssh
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_1 any any
access-list 100 extended permit tcp host 10.10.12.0 any eq www
access-list inside_nat0_outbound_1 extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool IPSec_VPN 192.168.5.100-192.168.5.199 mask 255.255.255.0
ip local pool vpnpool 10.10.15.50-10.10.15.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.11.0 255.255.255.0 management
http 10.10.12.0 255.255.255.0 inside
http 10.10.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map dyn1 10 match address vpnremot
crypto dynamic-map dyn1 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 myset1
crypto dynamic-map dyn1 10 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.203
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment self
subject-name CN=Local.Local
crl configure
crypto ca server
shutdown
cdp-url issuer-name CN = ASA-33-ASA1.Local.Local
smtp from-address admin@ASA-33-ASA1.Local.Local
crypto ca certificate chain ASDM_TrustPoint0
certificate 5371234c
308201d7 30820140 a0030201 02020453 71234c30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a48 5446532e 4c6f6361 6c311930 1706092a
864886f7 0d010902 160a4854 46532e4c 6f63616c 301e170d 31303036 32343134
35333037 5a170d32 30303632 31313435 3330375a 30303113 30110603 55040313
0a485446 532e4c6f 63616c31 19301706 092a8648 86f70d01 0902160a 48544653
2e4c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181008e 032bfcdf 863b65ae d38f2626 6802308d 4265e9d3 ca40d894 91746d0e
dcb28a10 d48b7f12 fe498244 ad87136d 34c837a9 c342d73c e2946c0f fc051d68
cc9e6eb1 0bee2f7b 2c210477 240890ff 5e0087f0 75006bab 88ac86a9 ca1bb532
f573ee28 dbdde8b6 d7c2f7cd 36c41c22 2e73ff6b cca515dc 1cb4a32e dc1634bb
f3052102 03010001 300d0609 2a864886 f70d0101 05050003 81810070 d8648150
53967323 37b35d19 7abed386 7220b00a c4fa3338 a263a923 c7e012a5 e1ff4681
5fded707 ead1871e 1f2aff05 c454f3ae e3817fb1 a10e2203 3f1f43ea 305e8053
a0669c05 ab954f1f 7262c290 d24e06c3 62b6a10c 86ce181d 3ddc418a 4de4aebd
225cb11a 0250a95f 28ed495d c340d420 1122c299 f0e542e2 01f14f
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate c870234c
3082023c 308201a5 a0030201 020204c8 70234c30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a48 5446532e 4c6f6361 6c311930 1706092a
864886f7 0d010902 160a4854 46532e4c 6f63616c 301e170d 31303036 32343134
35303438 5a170d32 30303632 31313435 3034385a 30303113 30110603 55040313
0a485446 532e4c6f 63616c31 19301706 092a8648 86f70d01 0902160a 48544653
2e4c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181008e 032bfcdf 863b65ae d38f2626 6802308d 4265e9d3 ca40d894 91746d0e
dcb28a10 d48b7f12 fe498244 ad87136d 34c837a9 c342d73c e2946c0f fc051d68
cc9e6eb1 0bee2f7b 2c210477 240890ff 5e0087f0 75006bab 88ac86a9 ca1bb532
f573ee28 dbdde8b6 d7c2f7cd 36c41c22 2e73ff6b cca515dc 1cb4a32e dc1634bb
f3052102 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06
03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80145dcd 0b08ab88
2c5aeeb6 7efa52ab f5b8d0e7 d113301d 0603551d 0e041604 145dcd0b 08ab882c
5aeeb67e fa52abf5 b8d0e7d1 13300d06 092a8648 86f70d01 01050500 03818100
8b7572dd eca02438 8bae84a4 e87a9dad 4086a13b 962508a6 05dde4a0 a979caff
db3f3e1c 7f2aaadf 4cd89667 8e3a5f62 7558f8af bece8207 a58f99db bf81ae3b
641551e3 2b72fb61 7f2d2430 e5cc56fe c61f58b5 d3ea65b6 3ba1623d d6d99d58
61d7505f d0f76009 e5cfe99a 7afdc199 595a5c35 59364380 96bfda54 5e6c85ab
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate 2571234c
308201f1 3082015a a0030201 02020425 71234c30 0d06092a 864886f7 0d010105
0500303d 31133011 06035504 03130a48 5446532e 4c6f6361 6c312630 2406092a
864886f7 0d010902 16174854 46532d33 332d4153 41312e48 5446532e 4c6f6361
6c301e17 0d313030 36323431 34353232 315a170d 32303036 32313134 35323231
5a303d31 13301106 03550403 130a4854 46532e4c 6f63616c 31263024 06092a86
4886f70d 01090216 17485446 532d3333 2d415341 312e4854 46532e4c 6f63616c
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008e032b
fcdf863b 65aed38f 26266802 308d4265 e9d3ca40 d8949174 6d0edcb2 8a10d48b
7f12fe49 8244ad87 136d34c8 37a9c342 d73ce294 6c0ffc05 1d68cc9e 6eb10bee
2f7b2c21 04772408 90ff5e00 87f07500 6bab88ac 86a9ca1b b532f573 ee28dbdd
e8b6d7c2 f7cd36c4 1c222e73 ff6bcca5 15dc1cb4 a32edc16 34bbf305 21020301
0001300d 06092a86 4886f70d 01010505 00038181 003f021b 3415bd69 e77b4e1a
11255bf5 fb6f1689 ef087beb 7214547f 322f743d e7ac8ffd a34b5f3d 4d62ab04
d2efa1c1 ce21351a 72bcaba1 46bdc7d9 c813cb03 92c7d29c d91068ca 3d62a588
09e6d9ba fdd38b3d ed18f80c 4040f5d2 5972183e 19e79e6a c11e1c6a 5d744e3c
9817a6a5 87d952bd cefdcf20 9e6259e1 218eda30 e1
quit
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.15.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.10.12.100-10.10.12.199 inside
dhcpd dns x.x.x.45 x.x.x.61 interface inside
dhcpd domain Local.Local interface inside
dhcpd enable inside
!
dhcpd address 10.10.11.10-10.10.11.19 management
dhcpd dns x.x.x.12 x.x.x.12 interface management
dhcpd domain Local.Local interface management
dhcpd update dns interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl certificate-authentication interface outside port 443
webvpn
enable outside
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
default-domain value Local.Local
group-policy SecureMe internal
group-policy SecureMe attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
default-domain value Local.Local
group-policy SITEVPN internal
group-policy SITEVPN attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group Local-IPSec type remote-access
tunnel-group Local-IPSec general-attributes
address-pool vpnpool
tunnel-group Local-IPSec ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPNPool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias rdp enable
group-url enable
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool VPNPool
tunnel-group myvpn ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
tunnel-group x.x.x.203 type ipsec-l2l
tunnel-group x.x.x.203 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:11075c610aae96062d0b6ff8f2a15d27
: end
Office
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(3)
!
hostname ASA
domain-name Local.Local
enable password LCOOk3qmGBPxgD7e encrypted
names
name x.x.x.203 PublicIP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address PublicIP 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.10.2.20
name-server 10.10.2.21
name-server x.x.x.12
name-server x.x.x.12
domain-name Local.Local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit object-group TCPUDP any any eq nfs
access-list outside_access_in extended permit tcp any any eq www
access-list IPSecVPN_splitTunnelAcl standard permit 10.10.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list no_nat extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list IPSecVPN extended permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list Cisco_splitTunnelAcl standard permit 10.10.2.0 255.255.255.0
access-list nonat extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list vpnremot extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list outbound extended permit tcp any any eq ssh
access-list outbound extended permit tcp any any eq www
access-list outside-inbound extended permit tcp any any eq ssh
access-list outside-inbound extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit tcp any any eq ssh
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_outside extended permit ip any host x.x.x.204
access-list acl_outside extended permit ip any host x.x.x.206
access-list outside_1_cryptomap extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 100 extended permit tcp host 10.10.2.0 any eq www
access-list outside_2_cryptomap extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
pager lines 24
logging asdm informational
logging from-address ASA5510_150@local.com
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNPool 10.10.5.50-10.10.5.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nonat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.206 255.255.255.255
static (inside,outside) tcp interface ssh 10.10.2.21 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.204 255.255.255.255
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 management
http 10.10.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map dyn1 10 match address vpnremot
crypto dynamic-map dyn1 10 set transform-set myset1
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.2
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
keypair SSLVPNKeypair
crl configure
crypto ca server
shutdown
cdp-url issuer-name CN=ASA-150-ASA1.ASA.local
smtp from-address admin@ASA-150-ASA1.ASA.local
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201d4 3082013d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
30311330 11060355 0403130a 48544653 2e4c6f63 616c3119 30170609 2a864886
f70d0109 02160a48 5446532e 4c6f6361 6c301e17 0d313030 35313130 37313632
395a170d 32303035 30383037 31363239 5a303031 13301106 03550403 130a4854
46532e4c 6f63616c 31193017 06092a86 4886f70d 01090216 0a485446 532e4c6f
63616c30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100
cc0950a5 4fb497dd 43a1e6d3 5486e224 0ebfd72d 6fe69e93 1530defb c8b9a974
1d1e9dbf 7be0b70a 1aebab19 b10171bb bc61e587 9b5a4622 222f0162 d7ea797b
e81ca19b d6f94b67 46b5f14b 5d4f6530 8408ab00 89e2945b 2ce4ffd5 e7130cc7
9cc0886a f5842ddc 710c557d 84b1c96b b6dacbe3 eae0ffda 27ea1228 44d704c9
02030100 01300d06 092a8648 86f70d01 01040500 03818100 03e108a5 ecbc6bc0
32ac3c98 84529fdc a7cfdc26 fe51f00f ae2516c9 38d6f9d2 ce70c0aa 8e06bdb3
611c74ea 800b9440 7835af6f a78afea3 b7bc8505 62ae7a41 e58c5dce 19719cb1
cd6548d0 6db283d9 cd4e0914 8e55f39a 38c9b534 978847e8 98519741 49949b8c
37886ffc 45c78c66 37e2638b e02e6958 044d521c aa621c2e
quit
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.5.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.10.2.20
!
dhcpd address 10.10.2.100-10.10.2.199 inside
dhcpd dns 10.10.2.20 10.10.2.21 interface inside
dhcpd domain ASA.Local interface inside
dhcpd enable inside
!
dhcpd address 10.10.1.2-10.10.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
default-domain value ASA.Local
group-policy SecureMe internal
group-policy SecureMe attributes
dns-server value 10.10.2.20 10.10.2.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
dns-server value x.x.x.12 x.x.x.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
default-domain value ASA.Local
group-policy Management internal
group-policy Management attributes
dns-server value 10.10.2.20 10.10.2.21
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value 100
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelall
split-tunnel-network-list value 100
vlan none
client-firewall none
client-access-rule none
tunnel-group ASA-IPSec type remote-access
tunnel-group ASA-IPSec general-attributes
address-pool VPNPool
tunnel-group ASA-IPSec ipsec-attributes
pre-shared-key *
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPNPool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias rdp enable
group-url enable
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool VPNPool
tunnel-group myvpn ipsec-attributes
pre-shared-key *
radius-sdi-xauth
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.10.2.22
prompt hostname context
Cryptochecksum:0d60ed2ad7026cda6836cec0bef35564
: end
I seem to be having silly issue connecting two ASA 5510 using Site to Site. Can someone take a look at my configs and tell me what I'm missing. I'm new to Site to Site configs, since the owner always prefer to run everything from the office.
Thanks in advance.
Colocation
Result of the command: "show running-config"
: Saved
:
ASA Version 8.2(2)9
!
hostname ASA1
domain-name Local.Local
enable password LCOOk3qmGBPxgD7e encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.12.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.11.1 255.255.255.0
!
boot system disk0:/asa822-9-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server x.x.x.61
name-server x.x.x.45
domain-name Local.Local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list Cisco_splitTunnelAcl standard permit 192.168.2.0 255.255.255.0
access-list Cisco_splitTunnelAcl standard permit 10.10.12.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit tcp any any eq www
access-list IPSecVPN_splitTunnelAcl standard permit 10.10.12.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list no_nat extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list IPSecVPN extended permit ip 10.10.15.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list nonat extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list vpnremot extended permit ip 10.10.12.0 255.255.255.0 10.10.15.0 255.255.255.0
access-list outbound extended permit tcp any any eq ssh
access-list outbound extended permit tcp any any eq www
access-list outside-inbound extended permit tcp any any eq ssh
access-list outside-inbound extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit tcp any any eq ssh
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_1 any any
access-list 100 extended permit tcp host 10.10.12.0 any eq www
access-list inside_nat0_outbound_1 extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.12.0 255.255.255.0 10.10.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool IPSec_VPN 192.168.5.100-192.168.5.199 mask 255.255.255.0
ip local pool vpnpool 10.10.15.50-10.10.15.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.11.0 255.255.255.0 management
http 10.10.12.0 255.255.255.0 inside
http 10.10.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map dyn1 10 match address vpnremot
crypto dynamic-map dyn1 10 set transform-set ESP-3DES-SHA ESP-3DES-MD5 myset1
crypto dynamic-map dyn1 10 set reverse-route
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.203
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
crl configure
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
proxy-ldc-issuer
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment self
subject-name CN=Local.Local
crl configure
crypto ca server
shutdown
cdp-url issuer-name CN = ASA-33-ASA1.Local.Local
smtp from-address admin@ASA-33-ASA1.Local.Local
crypto ca certificate chain ASDM_TrustPoint0
certificate 5371234c
308201d7 30820140 a0030201 02020453 71234c30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a48 5446532e 4c6f6361 6c311930 1706092a
864886f7 0d010902 160a4854 46532e4c 6f63616c 301e170d 31303036 32343134
35333037 5a170d32 30303632 31313435 3330375a 30303113 30110603 55040313
0a485446 532e4c6f 63616c31 19301706 092a8648 86f70d01 0902160a 48544653
2e4c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181008e 032bfcdf 863b65ae d38f2626 6802308d 4265e9d3 ca40d894 91746d0e
dcb28a10 d48b7f12 fe498244 ad87136d 34c837a9 c342d73c e2946c0f fc051d68
cc9e6eb1 0bee2f7b 2c210477 240890ff 5e0087f0 75006bab 88ac86a9 ca1bb532
f573ee28 dbdde8b6 d7c2f7cd 36c41c22 2e73ff6b cca515dc 1cb4a32e dc1634bb
f3052102 03010001 300d0609 2a864886 f70d0101 05050003 81810070 d8648150
53967323 37b35d19 7abed386 7220b00a c4fa3338 a263a923 c7e012a5 e1ff4681
5fded707 ead1871e 1f2aff05 c454f3ae e3817fb1 a10e2203 3f1f43ea 305e8053
a0669c05 ab954f1f 7262c290 d24e06c3 62b6a10c 86ce181d 3ddc418a 4de4aebd
225cb11a 0250a95f 28ed495d c340d420 1122c299 f0e542e2 01f14f
quit
crypto ca certificate chain ASDM_TrustPoint3
certificate c870234c
3082023c 308201a5 a0030201 020204c8 70234c30 0d06092a 864886f7 0d010105
05003030 31133011 06035504 03130a48 5446532e 4c6f6361 6c311930 1706092a
864886f7 0d010902 160a4854 46532e4c 6f63616c 301e170d 31303036 32343134
35303438 5a170d32 30303632 31313435 3034385a 30303113 30110603 55040313
0a485446 532e4c6f 63616c31 19301706 092a8648 86f70d01 0902160a 48544653
2e4c6f63 616c3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902
8181008e 032bfcdf 863b65ae d38f2626 6802308d 4265e9d3 ca40d894 91746d0e
dcb28a10 d48b7f12 fe498244 ad87136d 34c837a9 c342d73c e2946c0f fc051d68
cc9e6eb1 0bee2f7b 2c210477 240890ff 5e0087f0 75006bab 88ac86a9 ca1bb532
f573ee28 dbdde8b6 d7c2f7cd 36c41c22 2e73ff6b cca515dc 1cb4a32e dc1634bb
f3052102 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06
03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80145dcd 0b08ab88
2c5aeeb6 7efa52ab f5b8d0e7 d113301d 0603551d 0e041604 145dcd0b 08ab882c
5aeeb67e fa52abf5 b8d0e7d1 13300d06 092a8648 86f70d01 01050500 03818100
8b7572dd eca02438 8bae84a4 e87a9dad 4086a13b 962508a6 05dde4a0 a979caff
db3f3e1c 7f2aaadf 4cd89667 8e3a5f62 7558f8af bece8207 a58f99db bf81ae3b
641551e3 2b72fb61 7f2d2430 e5cc56fe c61f58b5 d3ea65b6 3ba1623d d6d99d58
61d7505f d0f76009 e5cfe99a 7afdc199 595a5c35 59364380 96bfda54 5e6c85ab
quit
crypto ca certificate chain ASDM_TrustPoint4
certificate 2571234c
308201f1 3082015a a0030201 02020425 71234c30 0d06092a 864886f7 0d010105
0500303d 31133011 06035504 03130a48 5446532e 4c6f6361 6c312630 2406092a
864886f7 0d010902 16174854 46532d33 332d4153 41312e48 5446532e 4c6f6361
6c301e17 0d313030 36323431 34353232 315a170d 32303036 32313134 35323231
5a303d31 13301106 03550403 130a4854 46532e4c 6f63616c 31263024 06092a86
4886f70d 01090216 17485446 532d3333 2d415341 312e4854 46532e4c 6f63616c
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008e032b
fcdf863b 65aed38f 26266802 308d4265 e9d3ca40 d8949174 6d0edcb2 8a10d48b
7f12fe49 8244ad87 136d34c8 37a9c342 d73ce294 6c0ffc05 1d68cc9e 6eb10bee
2f7b2c21 04772408 90ff5e00 87f07500 6bab88ac 86a9ca1b b532f573 ee28dbdd
e8b6d7c2 f7cd36c4 1c222e73 ff6bcca5 15dc1cb4 a32edc16 34bbf305 21020301
0001300d 06092a86 4886f70d 01010505 00038181 003f021b 3415bd69 e77b4e1a
11255bf5 fb6f1689 ef087beb 7214547f 322f743d e7ac8ffd a34b5f3d 4d62ab04
d2efa1c1 ce21351a 72bcaba1 46bdc7d9 c813cb03 92c7d29c d91068ca 3d62a588
09e6d9ba fdd38b3d ed18f80c 4040f5d2 5972183e 19e79e6a c11e1c6a 5d744e3c
9817a6a5 87d952bd cefdcf20 9e6259e1 218eda30 e1
quit
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.15.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd address 10.10.12.100-10.10.12.199 inside
dhcpd dns x.x.x.45 x.x.x.61 interface inside
dhcpd domain Local.Local interface inside
dhcpd enable inside
!
dhcpd address 10.10.11.10-10.10.11.19 management
dhcpd dns x.x.x.12 x.x.x.12 interface management
dhcpd domain Local.Local interface management
dhcpd update dns interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
ssl certificate-authentication interface outside port 443
webvpn
enable outside
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
default-domain value Local.Local
group-policy SecureMe internal
group-policy SecureMe attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
default-domain value Local.Local
group-policy SITEVPN internal
group-policy SITEVPN attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group Local-IPSec type remote-access
tunnel-group Local-IPSec general-attributes
address-pool vpnpool
tunnel-group Local-IPSec ipsec-attributes
pre-shared-key *****
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPNPool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias rdp enable
group-url enable
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool VPNPool
tunnel-group myvpn ipsec-attributes
pre-shared-key *****
radius-sdi-xauth
tunnel-group x.x.x.203 type ipsec-l2l
tunnel-group x.x.x.203 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:11075c610aae96062d0b6ff8f2a15d27
: end
Office
Result of the command: "show running-config"
: Saved
:
ASA Version 8.0(3)
!
hostname ASA
domain-name Local.Local
enable password LCOOk3qmGBPxgD7e encrypted
names
name x.x.x.203 PublicIP
!
interface Ethernet0/0
nameif outside
security-level 0
ip address PublicIP 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.2.1 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 50
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.10.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.10.2.20
name-server 10.10.2.21
name-server x.x.x.12
name-server x.x.x.12
domain-name Local.Local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute
service-object icmp unreachable
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit tcp any any eq ssh
access-list outside_access_in extended permit object-group TCPUDP any any eq nfs
access-list outside_access_in extended permit tcp any any eq www
access-list IPSecVPN_splitTunnelAcl standard permit 10.10.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list no_nat extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list IPSecVPN extended permit ip 10.10.5.0 255.255.255.0 10.10.2.0 255.255.255.0
access-list Cisco_splitTunnelAcl standard permit 10.10.2.0 255.255.255.0
access-list nonat extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list vpnremot extended permit ip 10.10.2.0 255.255.255.0 10.10.5.0 255.255.255.0
access-list outbound extended permit tcp any any eq ssh
access-list outbound extended permit tcp any any eq www
access-list outside-inbound extended permit tcp any any eq ssh
access-list outside-inbound extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit tcp any any eq ssh
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit object-group DM_INLINE_SERVICE_1 any any
access-list acl_outside extended permit ip any host x.x.x.204
access-list acl_outside extended permit ip any host x.x.x.206
access-list outside_1_cryptomap extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
access-list 100 extended permit tcp host 10.10.2.0 any eq www
access-list outside_2_cryptomap extended permit ip 10.10.2.0 255.255.255.0 10.10.12.0 255.255.255.0
pager lines 24
logging asdm informational
logging from-address ASA5510_150@local.com
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPNPool 10.10.5.50-10.10.5.199 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 0 access-list nonat
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp x.x.x.206 255.255.255.255
static (inside,outside) tcp interface ssh 10.10.2.21 ssh netmask 255.255.255.255
static (inside,outside) tcp x.x.x.204 255.255.255.255
access-group OUTSIDE-IN in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.5.0 255.255.255.0 inside
http 10.10.1.0 255.255.255.0 management
http 10.10.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA ESP-3DES-MD5
crypto dynamic-map dyn1 10 match address vpnremot
crypto dynamic-map dyn1 10 set transform-set myset1
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer x.x.x.2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set phase1-mode aggressive
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer x.x.x.2
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map mymap 10 ipsec-isakmp dynamic dyn1
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Local.Local
subject-name CN=Local.Local
keypair SSLVPNKeypair
crl configure
crypto ca server
shutdown
cdp-url issuer-name CN=ASA-150-ASA1.ASA.local
smtp from-address admin@ASA-150-ASA1.ASA.local
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201d4 3082013d a0030201 02020131 300d0609 2a864886 f70d0101 04050030
30311330 11060355 0403130a 48544653 2e4c6f63 616c3119 30170609 2a864886
f70d0109 02160a48 5446532e 4c6f6361 6c301e17 0d313030 35313130 37313632
395a170d 32303035 30383037 31363239 5a303031 13301106 03550403 130a4854
46532e4c 6f63616c 31193017 06092a86 4886f70d 01090216 0a485446 532e4c6f
63616c30 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100
cc0950a5 4fb497dd 43a1e6d3 5486e224 0ebfd72d 6fe69e93 1530defb c8b9a974
1d1e9dbf 7be0b70a 1aebab19 b10171bb bc61e587 9b5a4622 222f0162 d7ea797b
e81ca19b d6f94b67 46b5f14b 5d4f6530 8408ab00 89e2945b 2ce4ffd5 e7130cc7
9cc0886a f5842ddc 710c557d 84b1c96b b6dacbe3 eae0ffda 27ea1228 44d704c9
02030100 01300d06 092a8648 86f70d01 01040500 03818100 03e108a5 ecbc6bc0
32ac3c98 84529fdc a7cfdc26 fe51f00f ae2516c9 38d6f9d2 ce70c0aa 8e06bdb3
611c74ea 800b9440 7835af6f a78afea3 b7bc8505 62ae7a41 e58c5dce 19719cb1
cd6548d0 6db283d9 cd4e0914 8e55f39a 38c9b534 978847e8 98519741 49949b8c
37886ffc 45c78c66 37e2638b e02e6958 044d521c aa621c2e
quit
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.10.5.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 10.10.2.20
!
dhcpd address 10.10.2.100-10.10.2.199 inside
dhcpd dns 10.10.2.20 10.10.2.21 interface inside
dhcpd domain ASA.Local interface inside
dhcpd enable inside
!
dhcpd address 10.10.1.2-10.10.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
ssl encryption rc4-sha1
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1
svc image disk0:/anyconnect-dart-win-2.4.1012-k9.pkg 2
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
svc enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable default webvpn
group-policy DfltGrpPolicy attributes
default-domain value ASA.Local
group-policy SecureMe internal
group-policy SecureMe attributes
dns-server value 10.10.2.20 10.10.2.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
group-policy IPSecVPN internal
group-policy IPSecVPN attributes
dns-server value x.x.x.12 x.x.x.12
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value IPSecVPN_splitTunnelAcl
default-domain value ASA.Local
group-policy Management internal
group-policy Management attributes
dns-server value 10.10.2.20 10.10.2.21
vpn-access-hours none
vpn-simultaneous-logins 5
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value 100
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-lock none
split-tunnel-policy tunnelall
split-tunnel-network-list value 100
vlan none
client-firewall none
client-access-rule none
tunnel-group ASA-IPSec type remote-access
tunnel-group ASA-IPSec general-attributes
address-pool VPNPool
tunnel-group ASA-IPSec ipsec-attributes
pre-shared-key *
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPNPool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias rdp enable
group-url enable
tunnel-group myvpn type remote-access
tunnel-group myvpn general-attributes
address-pool VPNPool
tunnel-group myvpn ipsec-attributes
pre-shared-key *
radius-sdi-xauth
tunnel-group x.x.x.2 type ipsec-l2l
tunnel-group x.x.x.2 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.10.2.22
prompt hostname context
Cryptochecksum:0d60ed2ad7026cda6836cec0bef35564
: end
