- Cisco Community
- Technology and Support
- Security
- VPN
- ASA Hub and Spoke not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
ASA Hub and Spoke not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2017 09:51 AM
HI Guys i followed the same solution which has been explained above. after done the configuration all three sites phase-1 and Phase-2 comes up but unable to reach from any of sites to destination. i am working on this solution since last three days continuously but there is no luck at the moment.
below is the config of my Hub FW:
ciscoasa(config)# sh run
: Saved
:
ASA Version 8.4(3)
!
hostname ciscoasa
domain-name arborfshosting.com
enable password MvFWWNGobOrbHMPx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 10
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
nameif outside
security-level 0
ip address 11X.19X.36X.11X 255.255.255.248
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
domain-name arborfshosting.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Local-Subnet
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network Spoke-1
subnet 192.168.10.0 255.255.255.0
object-group network SPOKE1-NETWORKS
network-object 192.168.10.0 255.255.255.0
object-group network SPOKE2-NETWORKS
network-object 172.17.1.0 255.255.255.0
object-group network HQ-NETWORKS
network-object 192.168.1.0 255.255.255.0
object-group network NAT-EXEMPTION-DESTINATIONS
group-object SPOKE1-NETWORKS
group-object SPOKE2-NETWORKS
object-group network HQ_&_BCP
network-object 192.168.10.0 255.255.255.0
network-object object Local-Subnet
object-group network HQ_&_US
network-object 172.17.1.0 255.255.255.0
network-object object Local-Subnet
access-list VPN-HQ-TO-SPOKE1 extended permit ip object-group HQ_&_US object-group SPOKE1-NETWORKS
access-list VPN-HQ-TO-SPOKE1 extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS
access-list outside_access_in extended permit ip any any
access-list VPN-HQ-TO-SPOKE2 extended permit ip object-group HQ_&_BCP object-group SPOKE2-NETWORKS
access-list VPN-HQ-TO-SPOKE2 extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (any,outside) source static HQ-NETWORKS HQ-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp description NAT-Exemption for VPN
!
object network Local-Subnet
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 11X.19X.36X.11X 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto map VPN 1 match address VPN-HQ-TO-SPOKE1
crypto map VPN 1 set pfs
crypto map VPN 1 set peer 83.16X.1XX.2XX
crypto map VPN 1 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN 2 match address VPN-HQ-TO-SPOKE2
crypto map VPN 2 set pfs
crypto map VPN 2 set peer 20X.1XX.3X.1XX
crypto map VPN 2 set ikev1 transform-set ESP-AES256-SHA
crypto map VPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_83.16X.1XX.2XX internal
group-policy GroupPolicy_83.16X.1XX.2XX attributes
vpn-tunnel-protocol ikev1
username Dgautam password rOnWdRtRxM6.ZLEP encrypted
tunnel-group 83.16X.1XX.2XX type ipsec-l2l
tunnel-group 83.16X.1XX.2XX general-attributes
default-group-policy GroupPolicy_83.16X.1XX.2XX
tunnel-group 83.16X.1XX.2XX ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 20X.1XX.3X.1XX type ipsec-l2l
tunnel-group 20X.1XX.3X.1XX ipsec-attributes
ikev1 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cbaef0174bd78907da1e06ead8c49e1d
: end
ciscoasa(config)# sh crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 20X.1XX.3X.1XX
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 83.16X.1XX.2XX
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Crypto map tag: VPN, seq num: 1, local addr: 11X.19X.36X.11X
access-list VPN-HQ-TO-SPOKE1 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 83.16X.1XX.2XX
#pkts encaps: 37, #pkts encrypt: 37, #pkts digest: 37
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 37, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11X.19X.36X.11X/0, remote crypto endpt.: 83.16X.1XX.2XX/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: EA588D6B
current inbound spi : B5871D74
Crypto map tag: VPN, seq num: 2, local addr: 11X.19X.36X.11X
access-list VPN-HQ-TO-SPOKE2 extended permit ip 192.168.1.0 255.255.255.0 172.17.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
current_peer: 20X.1XX.3X.1XX
#pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 40, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 11X.19X.36X.11X/0, remote crypto endpt.: 20X.1XX.3X.1XX/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 02E90B08
current inbound spi : 41C936F6
please help to get this resolve
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2017 07:37 PM
Hi
Based on your output, everything seems to be fine on hub side.
On your crypto IPSec, you see that your ASA has encaps packets but no decaps for both side.
To confirm that HUB side is correct and sending out traffic over VPN, you can do some tests by looking at the document I made: https://supportforums.cisco.com/document/13299206/asa-how-troubleshoot-vpn-l2l-ensure-traffic-passing-through-vpn
It'll ensure that packets are sent out to the right vpn.
The issue is on the other end.
Can you tell us what kind of firewall or router you've on spoke side?
Are you managing those devices? If Yes, can you paste the config on a text file please? (it will be better to read it correctly :-) )
For information: I've reproduced your exact hub config and build spoke config myself to test that and everything works fine (hub to spoke and spoke to spoke).
Just as recommendation, I won't use nat (any, outside) but specify nat(inside, outside). You can expect strange behaviour using any, outside.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your config.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-02-2017 10:15 PM
Hi Francisco,
thanks for looking in this case and share your findings. Yes, we are managing both sided spoke devices, and ASA Firewall is installed on both spoke side which config are below:
Spoke-1:
Cryptochecksum: c49e49e3 e794c73a 281627c9 9e45b88d
: Saved
: Written by Dgautam at 05:11:55.253 GMT/BDT Mon Jul 3 2017
!
ASA Version 8.4(5)
!
hostname YARFW
domain-name arborfshosting.com
enable password MvFWWNGobOrbHMPx encrypted
passwd zdUe/IxU93Tk0Vqy encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface Ethernet0/1
nameif office
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 8X.1XX.16X.2XX 255.255.255.224
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup inside
dns domain-lookup office
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.220.220
domain-name arborfshosting.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network SPOKE1-NETWORKS
network-object 192.168.10.0 255.255.255.0
object-group network HQ-NETWORKS
network-object 192.168.1.0 255.255.255.0
object-group network SPOKE2-NETWORKS
network-object 172.17.1.0 255.255.255.0
object-group network NAT-EXEMPTION-DESTINATIONS
group-object HQ-NETWORKS
group-object SPOKE2-NETWORKS
access-list outside_cryptomap extended permit ip object-group YAR_LAN_SUBNETS_ALL object-group TH_LAN_SUBNETS
access-list YAR_SPLIT_TUNNEL standard permit 192.168.10.0 255.255.255.0
access-list YAR_SPLIT_TUNNEL standard permit 192.168.20.0 255.255.255.0
access-list YAR_SPLIT_TUNNEL standard permit 172.16.0.0 255.255.128.0
access-list YAR_SPLIT_TUNNEL standard permit 192.168.50.0 255.255.255.0
access-list YAR_SPLIT_TUNNEL standard permit 192.168.60.0 255.255.255.0
access-list outside_access_in extended permit tcp any object INT_SFTP eq ssh
access-list outside_access_in extended permit tcp any object jaspersoft eq ssh
access-list outside_access_in extended permit object mysql any object jaspersoft
access-list outside_access_in extended permit tcp any object SFTP_SERVER_INT eq ssh log warnings
access-list outside_access_in extended permit tcp object TH_Zywall object CrashPlan_AT2 object-group CrashPlan
access-list outside_access_in extended permit icmp any any object-group ICMP_SAFE
access-list outside_access_in extended permit object-group SNMP any any
access-list outside_access_in extended permit udp any any eq snmp
access-list outside_access_in extended permit udp any any eq snmptrap
access-list outside_access_in extended permit object-group ZohoPortalaccess any any
access-list outside_access_in extended permit object-group WebApp any any
access-list outside_access_in extended permit object-group WebService any any
access-list outside_access_in extended permit object RDP any object INT-RDP
access-list outside_access_in extended permit ip any object FTP-Server-34 inactive
access-list outside_access_in extended deny ip any any
access-list test extended permit ip 192.168.150.0 255.255.255.0 host 10.250.20.113
access-list test extended permit ip host 192.168.10.34 host 172.16.1.131
access-list test extended permit ip host 172.16.1.22 host 172.16.1.131
access-list Cust_L2l_ACL standard permit host 10.250.20.100
access-list Cust_L2l_ACL standard permit host 10.250.20.101
access-list Cust_L2l_ACL standard permit host 10.250.20.102
access-list Cust_L2l_ACL standard permit host 10.250.20.103
access-list Cust_L2l_ACL standard permit host 10.250.20.104
access-list Cust_L2l_ACL standard permit host 10.250.20.113
access-list Cust_L2l_ACL standard permit host 10.250.20.114
access-list Cust_L2l_ACL standard permit host 10.250.20.115
access-list Cust_L2l_ACL standard permit host 10.222.222.112
access-list Cust_L2l_ACL standard permit host 10.222.222.113
access-list Cust_L2l_ACL standard permit host 10.222.222.114
access-list Cust_L2l_ACL standard permit host 10.250.20.128
access-list Cust_L2l_ACL standard permit host 10.250.20.129
access-list Cust_L2l_ACL standard permit host 10.250.10.130
access-list Cust_AnyC_ACL extended permit object 1433 any object VPN_EXT_SQL
access-list Cust_AnyC_ACL extended permit object RDP any object VPN_EXT_RDP
access-list Cust_AnyC_ACL extended permit object-group EventSubscription any object VPN_EXT_FIX
access-list Cust_AnyC_ACL extended permit ip any object VPN_EXT_BNPRDS
access-list Cust_AnyC_ACL extended permit object 1433 any object SQL_MET_EXT
access-list Cust_AnyC_ACL extended permit tcp any object AALTO_Outside_RDP eq 3389 log disable
access-list Cust_AnyC_ACL extended permit object 1433 any object AALTO_Outside_SQL
access-list Cust_AnyC_ACL extended permit object-group EventSubscription any object AALTO_Outside_FIX
access-list Cust_AnyC_ACL extended permit object RDP any object Apex_Ext_RDS
access-list Cust_AnyC_ACL extended permit object SQL any object Apex_Ext_Sql
access-list Cust_AnyC_ACL extended permit object EventSubscriptionService any object Ext_Outset_Fix
access-list Cust_AnyC_ACL extended permit object EventSubscriptionService any object Apex_Ext_Fix
access-list Cust_AnyC_ACL extended permit icmp any any log disable
access-list Cust_AnyC_Split_Tunnel standard permit 10.250.20.0 255.255.255.0
access-list inside_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside_access_in extended permit ip any any
access-list VPN-SPOKE1-TO-HQ extended permit ip object-group SPOKE1-NETWORKS object-group NAT-EXEMPTION-DESTINATIONS
access-list VPN-SPOKE1-TO-HQ extended permit ip object-group SPOKE1-NETWORKS object-group SPOKE2-NETWORKS
access-list outside_cryptomap_78 extended permit ip object VPN_EXT_Subnet object Adrigo
access-list Customer_WEBACL webtype permit url rdp://192.168.10.52 log notifications interval 300
access-list Customer_WEBACL webtype permit url smart-tunnel://192.168.10.26 log notifications interval 300
access-list Customer_WEBACL webtype permit url any log default
pager lines 24
logging enable
logging monitor debugging
logging buffered informational
logging trap informational
logging asdm informational
logging host inside 192.168.10.52
logging permit-hostdown
mtu inside 1500
mtu office 1500
mtu outside 1500
ip local pool RVPN_POOL 192.168.250.1-192.168.250.20 mask 255.255.255.0
ip local pool Quant_RVPN 192.168.160.1-192.168.160.10 mask 255.255.255.0
ip local pool Cust_RVPN_POOL 192.168.150.1-192.168.150.100 mask 255.255.255.0
ip local pool Test-D 192.168.170.1-192.168.170.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static YAR_LAN_SUBNETS_ALL YAR_LAN_SUBNETS_ALL destination static TH_LAN_SUBNETS TH_LAN_SUBNETS no-proxy-arp route-lookup
nat (inside,outside) source static YAR_LAN YAR_LAN destination static US_OFFICE_LAN US_OFFICE_LAN no-proxy-arp route-lookup
nat (inside,outside) source static YAR_LAN_SUBNETS_ALL YAR_LAN_SUBNETS_ALL destination static YAR_REM_VPN_LAN YAR_REM_VPN_LAN no-proxy-arp route-lookup
nat (inside,outside) source static SQL_INT VPN_EXT_SQL destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static Quant_RDS VPN_EXT_RDP destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static FIX_INT VPN_EXT_FIX destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static Quant_RDS VPN_EXT_BNPRDS destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static SQL_INT SQL_MET_EXT destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (outside,inside) source static Bloomberg_LAN BB_INT destination static EXT_FIX_BB FIX_INT_SERV
nat (outside,inside) source static BB_UAT BB_UAT_Int destination static EXT_FIX_BB FIX_INT_SERV
nat (inside,outside) source static RDP_Internal AALTO_Outside_RDP destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static SQL_INT AALTO_Outside_SQL destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static FIX_INT AALTO_Outside_FIX destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static Quant_RDS VPN_EXT_RDP destination static Quant_RVPN_Subnet Quant_RVPN_Subnet no-proxy-arp
nat (outside,inside) source static Quant_LAN Quant_Internal destination static VPN_EXT_RDP Quant_RDS
nat (outside,inside) source static Quant_LAN Quant_Internal destination static VPN_EXT_SQL Quant_SQL
nat (outside,inside) source static Madrague_LAN Madrague_Internal destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static BrownVanneck_LAN BrownVanneck_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static ULLINK9 ULLINK_INT destination static FIX_EXT FIX_INT
nat (outside,inside) source static ULLINK10 ULLINK_INT1 destination static FIX_EXT FIX_INT
nat (outside,inside) source static Elcotcapital_LAN Elcotcapital_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Elcotcapital_LAN Elcotcapital_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Metgroup_LAN Metcap_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Metgroup_LAN Metcap_INT destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static Met_Router2 Metcap_INT destination static VPN_EXT_SQL HP_SERV
nat (outside,inside) source static Met_Linux_LAN Met_Linux_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Met_Linux_LAN Met_Linux_INT destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static Gemsstock_LAN Gemsstock_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Gladstone_LAN Gladstone_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Edale_LAN_Prod Edale_INT_Prod destination static VPN_EXT_RDP YPLINRDS
nat (outside,inside) source static Edale_LAN_Prod Edale_INT_Prod destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Edale_LAN_Prod Edale_INT_Prod destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static Hoskings_LAN Hoskings_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Hoskings_LAN Hoskings_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Hoskings_LAN Hoskings_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static SS&C_Host1 SS&C_INT destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static SS&C_Host2 SS&C_INT2 destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static GS_LAN GS_INT destination static VPN_EXT_FIX_GS FIX_INT
nat (outside,inside) source static PalmVentures_LAN PalmVentures_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Arcus_LAN Arcus_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Arcus_LAN Arcus_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Arcus_LAN Arcus_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static IBIS_LAN IBIS_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static IBIS_LAN IBIS_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static IBIS_LAN IBIS_INT destination static VPN_EXT_FIX SQL_Internal
nat (outside,inside) source static Edale_LAN_BCP Edale_INT_BCP destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Edale_LAN_BCP Edale_INT_BCP destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Edale_LAN_BCP Edale_INT_BCP destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static Edale_Bloomberg Edale_INT_Bloomberg destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Edale_Bloomberg Edale_INT_Bloomberg destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Edale_Bloomberg Edale_INT_Bloomberg destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static Metronome_LAN Metronome_INT destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static Metronome_LAN Metronome_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Metronome_LAN Metronome_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_INT1 destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_INT1 destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_INT1 destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static ZInvestment_Lan ZInvestment_Internal destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static ZInvestment_Lan ZInvestment_Internal destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static ZInvestment_Lan ZInvestment_Internal destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static AALTO_LAN AALTO_INT destination static AALTO_Outside_RDP RDP_INT
nat (outside,inside) source static AALTO_LAN AALTO_INT destination static AALTO_Outside_SQL SQL_INT
nat (outside,inside) source static AALTO_LAN AALTO_INT destination static AALTO_Outside_FIX SQL_INT
nat (outside,inside) source static AJAM_London_LAN AJAM_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static AJAM_London_LAN AJAM_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static AJAM_London_LAN AJAM_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static ZInvestment_malta ZInvetment_Malta_Int destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static ZInvestment_malta ZInvetment_Malta_Int destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static ZInvestment_malta ZInvetment_Malta_Int destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static Bullyseye_LAN Bullseye_INT destination static VPN_Bullseye_SQL SQL_INT
nat (outside,inside) source static Bullyseye_LAN Bullseye_INT destination static VPN_EXT_Bullyseye_RDP RDP_INT
nat (outside,inside) source static Bullyseye_LAN Bullseye_INT destination static VPN_Buulseye_FIX SQL_INT
nat (outside,inside) source static Syena_LAN Syena_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Syena_LAN Syena_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Syena_LAN Syena_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static LarsWindhorst_LAN LarsWindhorst_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static LarsWindhorst_LAN LarsWindhorst_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static LarsWindhorst_LAN LarsWindhorst_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static LarsWindhorst_BCP LarsWindhorst_INT_BCP destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static LarsWindhorst_BCP LarsWindhorst_INT_BCP destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static LarsWindhorst_BCP LarsWindhorst_INT_BCP destination static VPN_EXT_FIX SQL_INT
nat (outside,inside) source static SFG_LAN SFG_Internal destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static SFG_LAN SFG_Internal destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static SFG_LAN SFG_Internal destination static VPN_EXT_FIX SQL_Internal
nat (outside,inside) source static SVGIM_LAN SVGIM_INT destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static AJAM_LAN_Tokyo Arbor_AJAM_Tokyo_Int destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static AJAM_LAN_Tokyo Arbor_AJAM_Tokyo_Int destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static AJAM_LAN_Tokyo Arbor_AJAM_Tokyo_Int destination static VPN_EXT_FIX SQL_Internal
nat (outside,inside) source static AACapital_Lan AACapital_Int destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static AACapital_Lan AACapital_Int destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static Monterone_LAN Monterone_INT destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static Monterone_LAN Monterone_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Monterone_LAN Monterone_INT destination static VPN_EXT_FIX SQL_INT
nat (outside,outside) source static FIX_Flyer_LAN FIX_Flyer_INT destination static VPN_EXT_RDP RDP_Internal
nat (outside,inside) source static Banor_LAN Banor_INT destination static VPN_EXT_RDP RDP_INT inactive
nat (outside,inside) source static Banor_LAN Banor_INT destination static VPN_EXT_SQL SQL_INT inactive
nat (outside,inside) source static Banor_LAN Banor_INT destination static VPN_EXT_FIX FIX_INT inactive
nat (outside,inside) source static HCAP_LAN Hcap_INT destination static EXT_HCAP_RDP RDP_INT
nat (outside,inside) source static HCAP_LAN Hcap_INT destination static EXT_SQL_HCAP SQL_Internal
nat (outside,inside) source static HCAP_LAN Hcap_INT destination static EXT_FIX_HCAP SQL_Internal
nat (outside,inside) source static PalVenturesUS_Lan PalmventureUS_Int destination static VPN_EXT_RDP RDP01_INT
nat (outside,inside) source static PalVenturesUS_Lan PalmventureUS_Int destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static Spyglass_Lan Spyglass_INT destination static VPN_EXT_Spyglass_RDP RDP_Internal
nat (outside,inside) source static Spyglass_Lan Spyglass_INT destination static VPN_EXT_Spyglass_SQL SQL_Internal
nat (outside,inside) source static Mygale_Lan Mygale_Int destination static VPN_EXT_RDP_Mygale RDP_Internal
nat (outside,inside) source static Mygale_Lan Mygale_Int destination static VPN_EXT_SQL_Mygale SQL_Internal
nat (outside,inside) source static RealTickFix_Lan RelatickFix_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Albemarle_asset Albemarle_int destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Albemarle_asset Albemarle_int destination static VPN_EXT_SQL SQL_Internal
nat (outside,inside) source static Albemarle_bcp Albemarle_bcp_int destination static albemarle_vpn_ext_rdp RDP_INT
nat (outside,inside) source static Albemarle_bcp Albemarle_bcp_int destination static Albermarle_Vpn_Ext_Sql SQL_Internal
nat (outside,inside) source static Gracian_Prod_Lan Gracian_Prod_int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Gracian_bcp_PROD Gracian_int_Prod destination static FIX_EXT FIX_INT_SERV
nat (outside,inside) source static Gracian_BCP_UAT Gracian_INT_UAT destination static FIX_EXT FIX_INT_SERV
nat (outside,inside) source static Gracian_LAN Gracian_INT destination static Gracian_RDP RDP_Internal
nat (outside,inside) source static Gracian_LAN Gracian_INT destination static Gracian_SQL Quant_SQL
nat (outside,inside) source static Gracian_LAN Gracian_INT destination static Gracian_FIX FIX_INT_SERV
nat (outside,inside) source static Elcot_Lan_Drop_Copy Elcot_Drom_Int_IP destination static Ext_VPN_Elcot_Drop FIX_INT
nat (outside,inside) source static Apex_Local_Network Apex_int_Addr destination static Apex_Ext_RDS RDP_INT
nat (outside,inside) source static Apex_Local_Network Apex_int_Addr destination static Apex_Ext_Sql SQL_INT
nat (outside,inside) source static Apex_Local_Network Apex_int_Addr destination static Apex_Ext_Fix FIX_INT
nat (outside,inside) source static Abacus_Lan Abacus_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Ezisoft Ezisoft_Int destination static VPN_EXT_FIX FIX_INT_SERV
nat (outside,inside) source static MarbleArch_Lan EdgeOutset_Int destination static VPN_EXT_FIX FIX_INT_SERV
nat (outside,inside) source static KensicoOutset_Lan KensicoOutset_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Outset_Lan Outset_Int destination static Ext_Outset_Fix FIX_INT inactive
nat (outside,inside) source static glenhill_lan glenhill_internal destination static VPN_EXT_FIX FIX_INT_SERV
nat (outside,inside) source static ULLINK_NYFIX_LAN ULLINK_NyFix_Int destination static VPN_EXT_FIX FIX_INT_SERV
nat (outside,inside) source static Outset_US_Office_lan Outset_Us_office_Int destination static Ext_Outset_Fix FIX_INT inactive
nat (inside,outside) source static VPN_EXT_Subnet VPN_EXT_Subnet destination static AJAM_London_LAN AJAM_London_LAN no-proxy-arp route-lookup inactive
nat (outside,inside) source static Indi_Test_Lan Dheeraj_Int destination static FIX_EXT RDP_Internal inactive
nat (outside,inside) source static BBerg_NJ_LAN BB_NJ_Int destination static EXT_FIX_BB FIX_INT
nat (inside,outside) source static YAR_LAN YAR_LAN destination static US_LAN US_LAN no-proxy-arp route-lookup
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static AFH_LAN AFH_Int destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static AFH_LAN AFH_Int destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static AFH_LAN AFH_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Privium_Viastak_Hosted_lan Privium_IntViastakhosted destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Privium_Viastak_Hosted_lan Privium_IntViastakhosted destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Privium_Viastak_Hosted_lan Privium_IntViastakhosted destination static VPN_EXT_FIX FIX_INT
nat (inside,outside) source static VPN_EXT_Subnet VPN_EXT_Subnet destination static Privium_LANViastakHosted Privium_LANViastakHosted no-proxy-arp route-lookup
nat (outside,inside) source static TRAFIX_APEX_FIX_LAN TRAFIX_INT destination static VPN_EXT_Subnet FIX_INT
nat (inside,outside) source static VPN_EXT_Subnet VPN_EXT_Subnet destination static SFG_LAN SFG_LAN no-proxy-arp route-lookup
nat (outside,inside) source static Teleios_LAN_Subnets Teleios_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Teleios_LAN_Subnets Teleios_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Frankfrt_AWS_Lan Privium_IntViastakhosted destination static VPN_EXT_RDP RDP_INT
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-amzn obj-amzn
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-viastak obj-viastak
nat (inside,outside) source static obj-SrcNet obj-SrcNet destination static obj-bob-aws obj-bob-aws
nat (inside,outside) source static YAR_LAN YAR_LAN destination static INDIA_LAN INDIA_LAN no-proxy-arp route-lookup
nat (outside,inside) source static WHEB_LAN Wheb_INT destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static WHEB_LAN Wheb_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static WHEB_LAN Wheb_INT destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Privium_Amstredam Privium_Ams_INT destination static Privium_EXT_RDP INT-RDP
nat (outside,inside) source static Blackwall_Cap_LAN BlackWall_Int destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Blackwall_Cap_LAN BlackWall_Int destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Blackwall_Cap_LAN BlackWall_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static R2G_LAN R2G_INT destination static R2G_RDP RDP_INT
nat (outside,inside) source static R2G_LAN R2G_INT destination static R2G_SQL SQL_INT
nat (outside,inside) source static R2G_LAN R2G_INT destination static R2G_FIX FIX_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_New_Int destination static VPN_EXT_RDP RDP_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_New_Int destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Gladstone_officeLAN Gladstone_New_Int destination static VPN_EXT_FIX FIX_INT
nat (outside,inside) source static Adrigo Adrigo_INT destination static VPN_EXT_FIX FIX_INT_SERV
nat (outside,inside) source static Adrigo Adrigo_INT destination static VPN_EXT_SQL SQL_INT
nat (outside,inside) source static Adrigo Adrigo_INT destination static VPN_EXT_RDP RDP_Internal
nat (any,outside) source static SPOKE1-NETWORKS SPOKE1-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp route-lookup description NAT-Exemption for VPN
!
object network Jaspersoft_SSL
nat (inside,outside) static interface service tcp ssh 2222
object network SFTP_SERVER_INT
nat (inside,outside) static SFTP_SERVER_EXT
object network CrashPlan_31
nat (inside,outside) static interface service tcp 4242 4242
object network INT_SFTP
nat (inside,outside) static interface service tcp ssh 2323
object network Yar_Lan_n
nat (inside,outside) dynamic interface
object network Jaspersoft_Mysql
nat (inside,outside) static interface service tcp 3306 3306
object network ZohoPortalRule
nat (inside,outside) static interface service tcp 85 www
object network AdrigoWebService
nat (inside,outside) static interface service tcp 8003 8003
object network AdrigoWebapp
nat (inside,outside) static interface service tcp 88 88
object network AthanaseWebApp
nat (inside,outside) static interface service tcp 92 92
object network AthanaseWebService
nat (inside,outside) static interface service tcp 8007 8007
object network GracianWebApp
nat (inside,outside) static interface service tcp 91 91
object network GracianWebService
nat (any,outside) static interface service tcp 8006 8006
object network HcapWebApp
nat (inside,outside) static interface service tcp 94 94
object network HcapWebService
nat (inside,outside) static interface service tcp 8009 8009
object network SFGWEBAPP
nat (inside,outside) static interface service tcp 90 90
object network SfgWebService
nat (inside,outside) static interface service tcp 8005 8005
object network WhebWebApp
nat (inside,outside) static interface service tcp 93 93
object network WhebWebService
nat (inside,outside) static interface service tcp 8008 8008
object network MonteroneWebApp
nat (inside,outside) static interface service tcp 89 89
object network MonteroneWebService
nat (inside,outside) static interface service tcp 8004 8004
object network INT-RDP
nat (inside,outside) static interface service tcp 3389 3389
object network FTP-Server-34
nat (inside,outside) static FTP-EXT-34 service tcp ftp ftp
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 83.167.168.225 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 5
http 192.168.10.0 255.255.255.0 inside
http 11x.19x.3x.11x 255.255.255.248 outside
http 20x.14x.3x.11x 255.255.255.240 outside
http 21x.1x.20x.10x 255.255.255.254 outside
snmp-server host inside 192.168.10.25 community public
snmp-server host outside 212.13.203.102 community public
snmp-server location Yarmouth
snmp-server contact Mukesh
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps ipsec start stop
sla monitor 2
type echo protocol ipIcmpEcho 10.0.4.48 interface outside
frequency 1800
sla monitor schedule 2 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set transform-Viastak-Privium esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set AWS-BOB-LOGIN esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set Adrigo esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set HUB-SPOKE esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 78 set pfs
crypto map outside_map 78 set peer 11x.19x.3x.11X
crypto map outside_map 78 set ikev1 transform-set ESP-AES256-SHA
crypto map outside_map 78 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=YARFW
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
no client-types
crl configure
crypto ca trustpoint realm-cisco.pub
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
subject-name CN=YARFW
keypair ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint4
crl configure
crypto ca trustpoint ASDM_TrustPoint6
crl configure
crypto ca trustpoint ASDM_TrustPoint7
crl configure
crypto ca trustpoint ASDM_TrustPoint8
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint9
crl configure
crypto ca trustpoint ASDM_TrustPoint10
crl configure
crypto ca trustpoint ASDM_TrustPoint11
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint12
keypair ASDM_TrustPoint12
crl configure
crypto ca trustpoint ASDM_TrustPoint14
crl configure
crypto ca trustpoint ASDM_TrustPoint16
crl configure
crypto ca trustpoint ASDM_TrustPoint15
crl configure
crypto ca trustpoint ASDM_TrustPoint17
crl configure
crypto ca trustpoint ASDM_TrustPoint18
crl configure
crypto ca trustpoint ASDM_TrustPoint19
crl configure
crypto ca trustpoint ASDM_TrustPoint20
crl configure
crypto ca trustpoint ASDM_TrustPoint22
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint23
crl configure
crypto ca trustpoint ASDM_TrustPoint24
crl configure
crypto ca trustpoint ASDM_TrustPoint26
crl configure
crypto ca trustpoint ASDM_TrustPoint27
crl configure
crypto ca trustpoint ASDM_TrustPoint28
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint25
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint29
crl configure
crypto ca trustpoint ASDM_TrustPoint30
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint31
crl configure
crypto ca trustpoint ASDM_TrustPoint21
enrollment terminal
subject-name CN=*.arborfshosting.com
keypair sumitarbor
crl configure
crypto ca trustpoint ASDM_TrustPoint32
enrollment terminal
subject-name CN=*.arborfshosting.com
crl configure
crypto ca trustpoint ca
crl configure
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint32
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 4
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 6
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 policy 7
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 8
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto ikev1 policy 9
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 43200
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 202
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 11x.19x.3xx.11x 255.255.255.248 outside
ssh 11x.9xx.5xx.11x 255.255.255.255 outside
ssh 11x.19x.3xx.11x 255.255.255.255 outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd dns 8.8.8.8 4.4.4.4
dhcpd domain arborfshosting.com
!
dhcpd address 192.168.10.61-192.168.10.80 inside
dhcpd dns 8.8.8.8 4.4.4.4 interface inside
dhcpd domain arborfshosting.com interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version tlsv1-only
ssl client-version tlsv1-only
ssl trust-point ASDM_TrustPoint12 outside vpnlb-ip
ssl trust-point ASDM_TrustPoint32 outside
ssl trust-point ASDM_TrustPoint32 inside
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.0.00048-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 4
anyconnect profiles Arbor_Customer_Profile disk0:/arbor_customer_profile.xml
anyconnect enable
tunnel-group-list enable
smart-tunnel list CustSmartRDP mstsc.exe mstsc.exe platform windows
smart-tunnel list SQL SQL ssms.exe platform windows
smart-tunnel network ArborSQLSRV ip 192.168.10.26 255.255.255.255
group-policy test-d_policy internal
group-policy test-d_policy attributes
wins-server none
dns-server value 208.67.220.220
vpn-tunnel-protocol ssl-client
default-domain value arborfshosting.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy WebTest internal
group-policy WebTest attributes
banner value This is forClientless Vpn Access.
wins-server none
dns-server none
vpn-tunnel-protocol ssl-clientless
group-lock value WebTest
default-domain value arborfshosting.com
webvpn
url-list value Customer_Book
filter value Customer_WEBACL
url-entry enable
wins-server none
dns-server value 208.67.222.222 208.67.220.220
vpn-filter value Cust_AnyC_ACL
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Cust_AnyC_Split_Tunnel
default-domain value arborfshosting.com
webvpn
anyconnect profiles value Arbor_Customer_Profile type user
anyconnect ask none default webvpn
hidden-shares none
file-entry disable
file-browsing disable
tunnel-group 11x.19x.3xx.11x type ipsec-l2l
tunnel-group 11x.19x.3xx.11x general-attributes
default-group-policy GroupPolicy_11x.19x.3xx.11x
tunnel-group 11x.19x.3xx.11x ipsec-attributes
ikev1 pre-shared-key Abcd0000
tunnel-group 213.163.150.204 type ipsec-l2l
tunnel-group 213.163.150.204 general-attributes
default-group-policy GroupPolicy_213.163.150.204
tunnel-group 213.163.150.204 ipsec-attributes
ikev1 pre-shared-key 9)87U8r(:D
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect tftp
inspect sip
inspect http
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c49e49e3e794c73a281627c99e45b88d
: end
Spoke-2
Cryptochecksum: 7f5268ae 0317be12 56728f8e ce03ed89
: Saved
: Written by Dgautam at 00:24:00.665 GMT Mon Jul 3 2017
!
ASA Version 8.6(1)2
!
hostname USFW
domain-name arborfshosting.com
enable password MvFWWNGobOrbHMPx encrypted
passwd MvFWWNGobOrbHMPx encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 2
no ip address
management-only
!
interface Redundant1
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif outside
security-level 0
ip address 20x.14x.3xx.12x 255.255.255.240
!
interface Redundant2
member-interface GigabitEthernet0/4
member-interface GigabitEthernet0/5
nameif inside
security-level 100
ip address 172.17.1.1 255.255.128.0
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name arborfshosting.com
same-security-traffic permit intra-interface
object-group network SPOKE1-NETWORKS
network-object 192.168.10.0 255.255.255.0
object-group network SPOKE2-NETWORKS
network-object 172.17.1.0 255.255.255.0
object-group network HQ-NETWORKS
network-object 192.168.1.0 255.255.255.0
object-group network NAT-EXEMPTION-DESTINATIONS
group-object HQ-NETWORKS
group-object SPOKE1-NETWORKS
object-group network TH_LAN_&_IND_LAN
network-object object INDIA_LAN
network-object object VPN_EXT_SUBNET
access-list outside_access_in extended permit object-group SQL_Logshipping_Group object YP_Cisco object SQL_SERV
access-list outside_access_in extended permit icmp any any object-group Safe_ICMP inactive
access-list outside_access_in extended permit tcp any any object-group WebAPPGroup inactive
access-list outside_access_in extended permit tcp any any object-group WebServiceGroup inactive
access-list outside_access_in extended permit tcp any object Backup_SFtp eq ssh inactive
access-list outside_access_in extended deny ip any any inactive
access-list outside_cryptomap extended permit ip object Internal_LAN object YAR_LAN
access-list Split_Tunnel_ACL standard permit 172.17.0.0 255.255.128.0
access-list Split_Tunnel_ACL standard permit 172.16.0.0 255.255.128.0
access-list Split_Tunnel_ACL standard permit 192.168.10.0 255.255.255.0
access-list Cust_Split_Tunnel_ACL standard permit host 10.250.30.100
access-list Cust_Split_Tunnel_ACL standard permit host 10.250.30.101
access-list Cust_Split_Tunnel_ACL standard permit host 10.250.30.102
access-list Cust_Split_Tunnel_ACL standard permit host 10.222.222.120
access-list Cust_Split_Tunnel_ACL standard permit host 10.222.222.121
access-list Cust_Split_Tunnel_ACL standard permit host 10.222.222.122
access-list Cust_Split_Tunnel_EACL extended permit object SQL any object Ext_VPN_SQL
access-list Cust_Split_Tunnel_EACL extended permit object RDP any object Ext_VPN_RDP
access-list Cust_Split_Tunnel_EACL extended permit object Event_Subscription_Service any object Ext_VPN_FIX
access-list Cust_Split_Tunnel_EACL extended permit object FIX_Event_Service any object Ext_VPN_FIX
access-list Cust_Split_Tunnel_EACL extended permit object-group FIX_Services any object Ext_VPN_FIX
access-list Cust_Split_Tunnel_EACL extended permit object RDP any object Apex_Ext_RDS
access-list Cust_Split_Tunnel_EACL extended permit object SQL any object Apex_Ext_SQL
access-list Cust_Split_Tunnel_EACL extended permit object Event_Subscription_Service any object Apex_Ext_Fix
access-list Cust_Split_Tunnel_EACL extended permit object Apex_Fix_Prod_Outset any object Apex_Ext_Fix
access-list outside_access_in_1 remark implicit rule
access-list outside_access_in_1 extended permit tcp any any object-group WebAPPGroup
access-list outside_access_in_1 remark implicit rule
access-list outside_access_in_1 extended permit icmp any any object-group Safe_ICMP
access-list outside_access_in_1 remark implicit rule
access-list outside_access_in_1 extended permit tcp any object SFTP_Backup eq ssh
access-list outside_access_in_1 remark implicit rule
access-list outside_access_in_1 extended permit tcp any any object-group WebServiceGroup
access-list outside_access_in_1 remark implicit rule
access-list outside_access_in_1 extended deny ip any any
access-list VPN-SPOKE2-TO-HQ extended permit ip object-group SPOKE2-NETWORKS object-group HQ-NETWORKS
access-list VPN-SPOKE2-TO-HQ extended permit ip object-group SPOKE2-NETWORKS object-group SPOKE1-NETWORKS
pager lines 24
logging enable
logging monitor informational
logging trap informational
logging asdm informational
logging host inside 172.17.1.55
logging permit-hostdown
mtu management 1500
mtu outside 1500
mtu inside 1500
ip local pool RVPN_POOL 192.168.23.1-192.168.23.50 mask 255.255.255.0
ip local pool Cust_RVPN_POOL 192.168.24.1-192.168.24.50 mask 255.255.255.0
ip local pool US_RVPN_POOL 192.168.25.1-192.168.25.50 mask 255.255.255.0
ip local pool Outset_RVPN 192.168.24.70-192.168.24.250 mask 255.255.255.0
ip local pool test-1-nps 192.168.27.1-192.168.27.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Internal_LAN Internal_LAN destination static RVPN_Subnet RVPN_Subnet no-proxy-arp route-lookup
nat (inside,outside) source static SQL_SERV Ext_VPN_SQL destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static SQL_SERV Apex_Ext_SQL destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static RDP_SERV Ext_VPN_RDP destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static RDP_SERV Apex_Ext_RDS destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static FIX_SERV Ext_VPN_FIX destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (inside,outside) source static FIX_SERV Apex_Ext_Fix destination static Cust_RVPN_Subnet Cust_RVPN_Subnet no-proxy-arp
nat (outside,inside) source static SFG_LAN SFG_Internal destination static Ext_VPN_RDP RDP_SERV
nat (outside,inside) source static SFG_LAN SFG_Internal destination static Ext_VPN_SQL SQL_SERV
nat (outside,inside) source static SFG_LAN SFG_Internal destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static REDI_Servers REDI_INT destination static REDI_EXT_VPN_FIX FIX_SERV
nat (outside,inside) source static SS&C_LAN SS&C_INT destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static Ullink_LAN Ullink_INT destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static Ullink_LAN Ullink_INT destination static Ext_VPN_SQL SQL_SERV
nat (inside,outside) source static Internal_LAN Internal_LAN destination static India_LAN_BCP India_LAN_BCP no-proxy-arp route-lookup
nat (outside,inside) source static BB_UAT BB_NY_INT destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static BB_Prod BB_NY_INT2 destination static Ext_VPN_FIX FIX_SERV
nat (inside,outside) source static NETWORK_OBJ_172.17.0.0_17 NETWORK_OBJ_172.17.0.0_17 destination static TH_Network TH_Network no-proxy-arp route-lookup
nat (outside,inside) source static Spyglass_Lan Spyglass_Int destination static Ext_VPN_RDP RDP_SERV
nat (outside,inside) source static Spyglass_Lan Spyglass_Int destination static Ext_VPN_SQL SQL_SERV
nat (outside,inside) source static Spyglass_Lan Spyglass_Int destination static Ext_VPN_FIX FIX_SERV
nat (inside,outside) source static Internal_LAN Internal_LAN destination static USoffice_LAn USoffice_LAn no-proxy-arp route-lookup
nat (outside,inside) source static Redi_Gracian_Lan Gracian_Redi_Int destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static Gracian_Redi_BCP_Lan Gracian_BCP_REDI_INT destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static Gracian_Lan Gracian_Int destination static Gracian_RDP RDP_SERV
nat (outside,inside) source static Gracian_Lan Gracian_Int destination static Gracian_SQL SQL_SERV
nat (outside,inside) source static Gracian_Lan Gracian_Int destination static Gracian_FIX FIX_SERV
nat (outside,inside) source static Apex_Local_Subnet Apex_Int_Address destination static Apex_Ext_RDS RDP_SERV
nat (outside,inside) source static Apex_Local_Subnet Apex_Int_Address destination static Apex_Ext_SQL SQL_SERV
nat (outside,inside) source static Apex_Local_Subnet Apex_Int_Address destination static Apex_Ext_Fix FIX_SERV
nat (outside,inside) source static Outset_Lan Outset_Int destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static Outset_Lan Outset_Int destination static Ext_VPN_RDP RDP_SERV
nat (outside,inside) source static Outset_Lan Outset_Int destination static Ext_VPN_SQL SQL_SERV
nat (outside,inside) source static Outset_US_OfficeLan Outset_US_Office_Int destination static Ext_VPN_SQL SQL_SERV
nat (outside,inside) source static Outset_US_OfficeLan Outset_US_Office_Int destination static Ext_VPN_RDP RDP_SERV
nat (outside,inside) source static Outset_US_OfficeLan Outset_US_Office_Int destination static Ext_VPN_FIX FIX_SERV
nat (inside,outside) source static Internal_LAN Internal_LAN destination static INDIA_LAN INDIA_LAN no-proxy-arp route-lookup
nat (outside,inside) source static BB_NJ_LAN BB_NJ_INT destination static Ext_VPN_FIX FIX_SERV
nat (inside,outside) source static Internal_LAN Internal_LAN destination static YAR_LAN YAR_LAN no-proxy-arp route-lookup
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static Ext_VPN_SQL SQL_SERV
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static Ext_VPN_RDP RDP_SERV
nat (outside,inside) source static LongBoard_Host LongBoard_Int destination static Ext_VPN_FIX FIX_SERV
nat (outside,inside) source static TRAFIX_APEX_FIX_LAN TRAFIX_APEX_INT destination static VPN_EXT_SUBNET FIX_SERV
nat (outside,inside) source static R2G_LAN R2G_LAN destination static R2G_RDP R2G-54
nat (outside,inside) source static R2G_LAN R2G_INT destination static R2G_SQL SQL_SERV
nat (outside,inside) source static R2G_LAN R2G_INT destination static R2G_FIX FIX_SERV
nat (inside,outside) source static VPN_EXT_SUBNET VPN_EXT_SUBNET destination static Adrigo_LAN Adrigo_LAN no-proxy-arp route-lookup
nat (inside,outside) source static SPOKE2-NETWORKS SPOKE2-NETWORKS destination static NAT-EXEMPTION-DESTINATIONS NAT-EXEMPTION-DESTINATIONS no-proxy-arp route-lookup
!
object network Internal_LAN
nat (inside,outside) dynamic interface
object network SQL_Logshipping
nat (inside,outside) static interface service tcp 6000 6001
object network SFGWEBAPP
nat (inside,outside) static interface service tcp 90 90
object network SFGWEBService
nat (inside,outside) static interface service tcp 8005 8005
object network GracianWebApp
nat (inside,outside) static interface service tcp 91 91
object network GracianWebService
nat (inside,outside) static interface service tcp 8006 8006
object network SFTP_Backup
nat (inside,outside) static Ext_SFTP_Addr
object network Apex_webapp
nat (inside,outside) static interface service tcp 94 94
object network Apex_webappservice
nat (inside,outside) static interface service tcp 8008 8008
object network ZohoWebportal
nat (inside,outside) static interface service tcp 85 www
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 204.140.31.113 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server NPS protocol radius
aaa-server NPS (inside) host 172.17.1.55
key (c2hQ9A([b`[jJ9{
radius-common-pw (c2hQ9A([b`[jJ9{
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 5
http 192.168.1.0 255.255.255.0 management
http 172.17.1.0 255.255.255.0 inside
http 11x.19x.3xx.11x 255.255.255.248 outside
http 8xx.16x.16x.22x 255.255.255.248 outside
http 21x.13x.20x.10x 255.255.255.254 outside
http 11x.9xx.5xx.11x 255.255.255.255 outside
snmp-server host outside 212.13.203.102 community public
snmp-server location US
snmp-server contact Mukesh
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 22 match address VPN-SPOKE2-TO-HQ
crypto map outside_map 22 set pfs
crypto map outside_map 22 set peer 112.196.36.116
crypto map outside_map 22 set ikev1 transform-set ESP-AES256-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint4
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint13
enrollment terminal
no client-types
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=USFW.arborfshosting.com
crl configure
crypto ca trustpoint ASDM_TrustPoint10
crl configure
crypto ca trustpoint ASDM_TrustPoint11
crl configure
crypto ca trustpoint ASDM_TrustPoint12
crl configure
crypto ca trustpoint ASDM_TrustPoint14
revocation-check crl none
enrollment url http://crl.godaddy.com:80/gds1-103.crl
crl configure
policy static
url 1 http://crl.godaddy.com/gds1-103.crl
crypto ca trustpoint ASDM_TrustPoint2
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint5
crl configure
crypto ca trustpoint ASDM_TrustPoint6
crl configure
crypto ca trustpoint ASDM_TrustPoint7
crl configure
crypto ca trustpoint ASDM_TrustPoint8
crl configure
crypto ca trustpoint ASDM_TrustPoint9
crl configure
crypto ca trustpoint ASDM_TrustPoint17
keypair ASDM_TrustPoint17
crl configure
crypto ca trustpoint ASDM_TrustPoint18
keypair ASDM_TrustPoint18
crl configure
crypto ca certificate chain ASDM_TrustPoint1
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption 3des
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 policy 4
encryption aes-256
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint18
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 83.167.168.224 255.255.255.248 outside
ssh 112.196.36.112 255.255.255.248 outside
ssh 111.93.54.114 255.255.255.255 outside
ssh 112.196.36.114 255.255.255.255 outside
ssh 172.17.1.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl server-version tlsv1-only
ssl client-version tlsv1-only
ssl trust-point ASDM_TrustPoint18 outside
ssl trust-point ASDM_TrustPoint17 outside vpnlb-ip
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-4.0.00048-k9.pkg 1
anyconnect image disk0:/anyconnect-win-3.1.02026-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 4
anyconnect profiles Arbor_Customer_Profile disk0:/arbor_customer_profile.xml
anyconnect enable
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy_112.196.36.116 internal
group-policy GroupPolicy_112.196.36.116 attributes
vpn-tunnel-protocol ikev1
tunnel-group 11x.19x.3xx.11x type ipsec-l2l
tunnel-group 11x.19x.3xx.11x general-attributes
default-group-policy GroupPolicy_11x.19x.3xx.11x
tunnel-group 11x.19x.3xx.11x ipsec-attributes
ikev1 pre-shared-key Abcxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 5
subscribe-to-alert-group configuration periodic monthly 5
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7f5268ae0317be1256728f8ece03ed89
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2017 09:18 AM
Hi,
Please next time put your configs into a text file that you'll upload to the post, otherwise it's a mess to read the post and lot of scroll down/scroll up.
On your Spoke1, there are some missing config like GroupPolicy_11x.19x.3xx.11x, the crypto map match acl isn't there (the acl is there but not the crypto map referring to that acl for encrypted data).
On Spoke2, except that lot of groups used in acl and nat are missing, the basic config for vpn L2L is there and should work.
Have you followed my document to see on spoke side if traffic is sent over vpn?
Do you see the some encaps/decaps? Can you run a show crypto ipsec peer x.x.x.x on both spoke?
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide