Topic '[Config] site to site VPN issues using Cisco ASA 5500 to Router' in forum 'Cisco' - dslreports.com

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Sat, 20 Dec 2008 14:57:33 EDT

atlas01 posted : Thanks for the heads up. I realized that PFS was a issue between the two devices after many hours of trouble shooting :)

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Fri, 19 Dec 2008 03:22:34 EDT

thejipster posted : FYI, I know you have solved this issue. This is mainly for other who run into this issue in the future.
IPSEC router has pfs disabled by default.

Problem is that Cisco IOS IPSEC router will be able to accept PFS from the peer even if PFS is disabled.

But if ASA has PFS enabled, IPSEC router will fail the IPSEC negotiation since ASA will reject the IPSEC negotiation.

That explains the one-directional IPSEC setup issue.

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Mon, 17 Nov 2008 11:24:53 EDT

atlas01 posted : It was a issue with my connection renewing the lease on the IP.

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Sat, 15 Nov 2008 13:01:52 EDT

kubaff posted :
sorry...

sh crypto ipsec sa

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Sat, 15 Nov 2008 12:52:14 EDT

kubaff posted : Ran the CLEAR CRYPTO IPSEC SA

Could you display

- sh crypto isakmp sa
- sh crypto isakmp ipsec

You could be having issues with IPSEC;

- debug crypto ipsec

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Thu, 13 Nov 2008 09:57:25 EDT

atlas01 posted : kubaff,

I did something similar but used extended ACL's since standard didn't allow for the source IP to be listed:

access-list 150 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any

I actually got the whole thing to work at one point last night by setting 'set pfs group1' to 'crypto map CLIENTMAP 1 ipsec-isakmp' but then I changed something when cleaning up and broke it. Slightly frustrating...

Here's the most recent config for the router:

version 12.4service timestamps debug datetime msecservice timestamps log datetimeservice password-encryption!hostname 3725router!boot-start-markerboot system flash:/c3725-adventerprisek9-mz.124-21.binboot-end-marker!logging buffered 8192 debugginglogging console informationalenable secret 5 $1$BUZ8$sNjxnHHht1NP3co5Vkj2o0!aaa new-model!!aaa authentication login default localaaa authentication ppp default localaaa authorization exec default local aaa authorization network default local !aaa session-id commonclock timezone EST -5clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route!ip traffic-export profile IDS-SNORT  interface FastEthernet0/0  bidirectional  mac-address 000c.2989.f93aip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 172.16.2.1ip dhcp excluded-address 172.16.3.1!ip dhcp pool VLAN2clients   network 172.16.2.0 255.255.255.0   default-router 172.16.2.1    option 66 ip 172.16.2.10    option 150 ip 172.16.2.10    dns-server 68.87.74.162 68.87.68.162 68.87.73.242 !ip dhcp pool VLAN3clients   network 172.16.3.0 255.255.255.0   default-router 172.16.3.1    dns-server 68.87.74.162 68.87.68.162 68.87.73.242 !ip dhcp pool DEBIAN   host 172.16.2.6 255.255.255.0   hardware-address 0004.e29c.4345!!ip domain name neocipher.netip name-server 68.87.74.162ip name-server 68.87.68.162ip inspect udp idle-time 900ip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW httpsip inspect name SDM_LOW icmpip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdoliveip inspect name SDM_LOW imapip inspect name SDM_LOW pop3ip inspect name SDM_LOW esmtpip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3ip ips sdf location flash://256MB.sdfip ips notify SDEEip ips name sdm_ips_rulevpdn enable!!!crypto isakmp policy 3 encr 3des authentication pre-share group 2!crypto isakmp policy 10 authentication pre-sharecrypto isakmp key key address 2.2.2.2 no-xauthcrypto isakmp key key address 10.0.0.2 no-xauth!crypto isakmp client configuration group VPN-Users key key dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0crypto isakmp profile IKE-PROFILE   match identity group VPN-Users   client authentication list default   isakmp authorization list default   client configuration address initiate   client configuration address respond   virtual-template 1!!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  mode transport!crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA  set isakmp-profile IKE-PROFILE!!crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA !!crypto map CLIENTMAP client authentication list defaultcrypto map CLIENTMAP isakmp authorization list defaultcrypto map CLIENTMAP client configuration address respondcrypto map CLIENTMAP 1 ipsec-isakmp  set peer 2.2.2.2 set transform-set ESP-3DES-SHA  set pfs group1 match address 100crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP !!!!interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly!interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source 78.18.222.115 tunnel destination 209.51.161.14 tunnel mode ipv6ip!interface Null0 no ip unreachables!interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP!interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP!interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto!interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address 2001:470:880D::1/64 ipv6 enable!interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip virtual-reassembly!interface FastEthernet0/1.10!interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000!interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1!ip local pool VPN_POOL 192.168.0.100 192.168.0.105ip forward-protocol ndip route 172.16.10.0 255.255.255.0 10.0.0.2ip route 172.31.12.0 255.255.255.0 74.245.61.45!!ip http serverip http authentication localip http secure-serverip http timeout-policy idle 600 life 86400 requests 10000ip nat translation udp-timeout 900ip nat inside source list 150 interface FastEthernet0/0 overload!logging trap debugginglogging origin-id hostnamelogging 172.16.2.6access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255access-list 101 remark SDM_ACL Category=17access-list 101 permit ahp any host 172.16.2.1access-list 101 permit esp any host 172.16.2.1access-list 101 permit udp any host 172.16.2.1 eq isakmpaccess-list 101 permit udp any host 172.16.2.1 eq non500-isakmpaccess-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 101 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 101 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 101 deny   ip 172.16.3.0 0.0.0.255 any logaccess-list 101 deny   ip host 255.255.255.255 any logaccess-list 101 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 101 deny   tcp any any range 1 chargen logaccess-list 101 deny   tcp any any eq whois logaccess-list 101 deny   tcp any any eq 93 logaccess-list 101 deny   tcp any any range 135 139 logaccess-list 101 deny   tcp any any eq 445 logaccess-list 101 deny   tcp any any range exec 518 logaccess-list 101 deny   tcp any any eq uucp logaccess-list 101 permit ip any anyaccess-list 102 deny   ip 172.16.2.0 0.0.0.255 any logaccess-list 102 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 102 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 102 deny   ip host 255.255.255.255 any logaccess-list 102 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 102 permit ip any anyaccess-list 103 deny   ip 172.16.2.0 0.0.0.255 anyaccess-list 103 deny   ip 10.0.0.0 0.0.15.255 anyaccess-list 103 deny   ip 172.16.3.0 0.0.0.255 anyaccess-list 103 deny   ip host 255.255.255.255 anyaccess-list 103 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 103 permit ip any anyaccess-list 104 remark SDM_ACL Category=17access-list 104 permit udp host 205.152.132.23 eq domain anyaccess-list 104 permit udp host 205.152.144.23 eq domain anyaccess-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntpaccess-list 104 permit ahp any anyaccess-list 104 permit esp any anyaccess-list 104 permit 41 any anyaccess-list 104 permit udp any any eq isakmpaccess-list 104 permit udp any any eq non500-isakmpaccess-list 104 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 104 deny   ip 172.16.2.0 0.0.0.255 any logaccess-list 104 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 104 deny   ip 172.16.3.0 0.0.0.255 any logaccess-list 104 permit udp any eq bootps any eq bootpcaccess-list 104 permit icmp any any echo-replyaccess-list 104 permit icmp any any time-exceededaccess-list 104 permit icmp any any unreachableaccess-list 104 permit icmp any any echoaccess-list 104 deny   icmp any any mask-request logaccess-list 104 deny   icmp any any redirect logaccess-list 104 deny   ip 10.0.0.0 0.255.255.255 any logaccess-list 104 deny   ip 172.16.0.0 0.15.255.255 any logaccess-list 104 deny   ip 192.168.0.0 0.0.255.255 any logaccess-list 104 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 104 deny   ip 224.0.0.0 15.255.255.255 any logaccess-list 104 deny   ip host 255.255.255.255 any logaccess-list 104 deny   tcp any any range 6000 6063 logaccess-list 104 deny   tcp any any eq 6667 logaccess-list 104 deny   tcp any any range 12345 12346 logaccess-list 104 deny   tcp any any eq 31337 logaccess-list 104 deny   udp any any eq 2049 logaccess-list 104 deny   udp any any eq 31337 logaccess-list 104 deny   udp any any range 33400 34400 logaccess-list 104 deny   ip any any logaccess-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntpaccess-list 105 permit ahp host 10.0.0.2 host 10.0.0.1access-list 105 permit esp host 10.0.0.2 host 10.0.0.1access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmpaccess-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmpaccess-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftpaccess-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslogaccess-list 105 deny   ip 172.16.2.0 0.0.0.255 anyaccess-list 105 deny   ip 192.168.0.0 0.0.0.255 anyaccess-list 105 deny   ip 172.16.3.0 0.0.0.255 anyaccess-list 105 permit icmp any host 10.0.0.1 echo-replyaccess-list 105 permit icmp any host 10.0.0.1 time-exceededaccess-list 105 permit icmp any host 10.0.0.1 unreachableaccess-list 105 deny   ip 10.0.0.0 0.255.255.255 anyaccess-list 105 deny   ip 172.16.0.0 0.15.255.255 anyaccess-list 105 deny   ip 192.168.0.0 0.0.255.255 anyaccess-list 105 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 105 deny   ip host 255.255.255.255 anyaccess-list 105 deny   ip host 0.0.0.0 anyaccess-list 105 deny   ip any any logaccess-list 115 permit ip 172.16.0.0 0.0.255.255 anyaccess-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255access-list 120 permit ip 172.16.0.0 0.0.255.255 anyaccess-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255access-list 150 permit ip 172.16.2.0 0.0.0.255 anyaccess-list 150 permit ip 172.16.3.0 0.0.0.255 any

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Thu, 13 Nov 2008 02:13:23 EDT

kubaff posted : It's all in the NATing. I had a similar situation between a PIX and 2811

You need to make sure that the INTERESTING TRAFFIC in EXCLUDED from the Global NAT statement. In addition the "reverse" ACL (10) attached to the Crypto map.

access-list 10 permit 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 10 permit 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255

crypto map CLIENTMAP 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set ESP-3DES-SHA
match address 10

access-list 11 deny 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 11 deny 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 11 permit 172.16.2.0 0.0.0.255 any
access-list 11 permit 172.16.3.0 0.0.0.255 any

ip nat inside source list 11 interface FastEthernet0/0 overload

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Wed, 12 Nov 2008 09:26:29 EDT

atlas01 posted : I've been able to connect to the ASA to other ASA and PIX devices but not to the router. I imagine is something like a ACL issue or something I'm missing. Thanks for the links though.

I'm assuming since the ASA side can initiate the connection that there is a problem with the router side of things.

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Wed, 12 Nov 2008 09:21:56 EDT

aryoba posted : There is this forum FAQ link providing IPSec tunnel sample configuration between PIX (or ASA) and router.

»Cisco Forum FAQ »Various Site-to-Site IPSec VPN: Cisco, Juniper, Checkpoint, Sonicwall, Zywall

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Wed, 12 Nov 2008 08:47:00 EDT

atlas01 posted : kubaff,

I changed the ACL for NAT as you mentioned to the following extended ACL's but it still didn't work:

access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255access-list 150 permit ip 172.16.2.0 0.0.0.255 any

Any other ideas?

Re: [Config] site to site VPN issues using Cisco ASA 5500 to Rou

Wed, 12 Nov 2008 04:36:22 EDT

kubaff posted : you need to EXCLUDE the INTERESTING traffic from being NAT'd on the router. Use an extended AccessList and make sure it's the FIRST ACL to be processed

ip nat inside source list 1 interface FastEthernet0/0 overload

# access-list 1 permit 172.16.2.0 0.0.0.255
# access-list 1 permit 172.16.3.0 0.0.0.255

Change ACL to

access-list xx deny 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list xx deny 172.16.3.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list xx permit 172.16.2.0 0.0.0.255 any
access-list xx permit 172.16.3.0 0.0.0.255 any

ip nat inside source list x interface FastEthernet0/0 overload

[Config] site to site VPN issues using Cisco ASA 5500 to Router

Tue, 11 Nov 2008 20:57:46 EDT

atlas01 posted : Hey everyone I've been having a bit of a snag when trying to connect to point via VPN. One end is a ASA5505 and the other is a 3725 router. The network on the router side I'm trying to access is 172.16.2.x and on the ASA side 172.31.12.x.

I am able to initiate the connection from the ASA side but not from the router side. I am unable to transfer any data between to two hosts:

# sh crypto isakmp sa    Active SA: 2    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA duringrekey)Total IKE SA: 2 1   IKE Peer: x.x.x.x.    Type    : user            Role    : responder    Rekey   : no              State   : AM_ACTIVE2   IKE Peer: x.x.x.x    Type    : L2L             Role    : initiator    Rekey   : no              State   : MM_ACTIVE #sh crypto isakmp sadst             src             state          conn-id slot statusx.x.x.x   x.x.x.x    QM_IDLE              1    0 ACTIVE

There no pong to my ping requests though. Also I've tried other services that fail. Here are my configurations. If anyone see's anything wrong feel free to let me know :-).

router

 !! Last configuration change at 18:42:49 EST Tue Nov 11 2008 by rsreese! NVRAM config last updated at 18:32:07 EST Tue Nov 11 2008 by rsreese!version 12.4service timestamps debug datetime msecservice timestamps log datetimeservice password-encryption!hostname 3725router!boot-start-markerboot system flash:/c3725-adventerprisek9-mz.124-21.binboot-end-marker!logging buffered 8192 debugginglogging console informationalenable secret 5 !aaa new-model!!aaa authentication login default localaaa authentication ppp default localaaa authorization exec default local aaa authorization network default local !aaa session-id commonclock timezone EST -5clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00network-clock-participate slot 1 network-clock-participate slot 2 no ip source-route!ip traffic-export profile IDS-SNORT  interface FastEthernet0/0  bidirectional  mac-address 000c.2989.f93aip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 172.16.2.1ip dhcp excluded-address 172.16.3.1!ip dhcp pool VLAN2clients   network 172.16.2.0 255.255.255.0   default-router 172.16.2.1    option 66 ip 172.16.2.10    option 150 ip 172.16.2.10    dns-server 68.87.74.162 68.87.68.162 68.87.73.242 !ip dhcp pool VLAN3clients   network 172.16.3.0 255.255.255.0   default-router 172.16.3.1    dns-server 68.87.74.162 68.87.68.162 68.87.73.242 !ip dhcp pool DEBIAN   host 172.16.2.6 255.255.255.0   hardware-address 0004.e29c.4345!!ip domain name neocipher.netip name-server 68.87.74.162ip name-server 68.87.68.162ip inspect udp idle-time 900ip inspect name SDM_LOW cuseemeip inspect name SDM_LOW dnsip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW httpsip inspect name SDM_LOW icmpip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdoliveip inspect name SDM_LOW imapip inspect name SDM_LOW pop3ip inspect name SDM_LOW esmtpip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3ip ips sdf location flash://256MB.sdfip ips notify SDEEip ips name sdm_ips_rulevpdn enable!!!!!!!!!!!ip ssh authentication-retries 2! !crypto isakmp policy 3 encr 3des authentication pre-share group 2!crypto isakmp policy 10 authentication pre-sharecrypto isakmp key  address 1.1.1.1 no-xauthcrypto isakmp key  address 10.0.0.2 no-xauth!crypto isakmp client configuration group VPN-Users key  dns 68.87.74.162 68.87.68.162 domain neocipher.net pool VPN_POOL acl 115 include-local-lan netmask 255.255.255.0crypto isakmp profile IKE-PROFILE   match identity group VPN-Users   client authentication list default   isakmp authorization list default   client configuration address initiate   client configuration address respond   virtual-template 1!!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac  mode transport!crypto ipsec profile IPSEC_PROFILE1 set transform-set ESP-3DES-SHA  set isakmp-profile IKE-PROFILE!!crypto dynamic-map DYNMAP 10 set transform-set ESP-3DES-SHA !!crypto map CLIENTMAP client authentication list defaultcrypto map CLIENTMAP isakmp authorization list defaultcrypto map CLIENTMAP client configuration address respondcrypto map CLIENTMAP 1 ipsec-isakmp  set peer 1.1.1.1 set transform-set ESP-3DES-SHA  match address 100crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP !!!!interface Loopback0 ip address 192.168.0.1 255.255.255.0 no ip unreachables ip virtual-reassembly!interface Tunnel0 description HE.net no ip address ipv6 address 2001:470:1F06:3B6::2/64 ipv6 enable tunnel source  tunnel destination 209.51.161.14 tunnel mode ipv6ip!interface Null0 no ip unreachables!interface FastEthernet0/0 description $ETH-WAN$$FW_OUTSIDE$ ip address dhcp client-id FastEthernet0/0 hostname 3725router ip access-group 104 in no ip unreachables ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map CLIENTMAP!interface Serial0/0 description $FW_OUTSIDE$ ip address 10.0.0.1 255.255.240.0 ip access-group 105 in ip verify unicast reverse-path no ip unreachables ip inspect SDM_LOW out ip virtual-reassembly clock rate 2000000 crypto map CLIENTMAP!interface FastEthernet0/1 no ip address no ip unreachables ip virtual-reassembly duplex auto speed auto!interface FastEthernet0/1.2 description $FW_INSIDE$ encapsulation dot1Q 2 ip address 172.16.2.1 255.255.255.0 ip access-group 101 in no ip unreachables ip nat inside ip virtual-reassembly ipv6 address  ipv6 enable!interface FastEthernet0/1.3 description $FW_INSIDE$ encapsulation dot1Q 3 ip address 172.16.3.1 255.255.255.0 ip access-group 102 in no ip unreachables ip nat inside ip virtual-reassembly!interface FastEthernet0/1.10!interface Serial0/1 no ip address no ip unreachables shutdown clock rate 2000000!interface Virtual-Template1 type tunnel description $FW_INSIDE$ ip unnumbered Loopback0 ip access-group 103 in no ip unreachables ip virtual-reassembly tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC_PROFILE1!ip local pool VPN_POOL 192.168.0.100 192.168.0.105ip forward-protocol ndip route 172.16.10.0 255.255.255.0 10.0.0.2ip route 172.31.12.0 255.255.255.0 1.1.1.1!!ip http serverip http authentication localip http secure-serverip http timeout-policy idle 600 life 86400 requests 10000ip nat translation udp-timeout 900ip nat inside source list 1 interface FastEthernet0/0 overload!logging trap debugginglogging origin-id hostnamelogging 172.16.2.6access-list 1 permit 172.16.2.0 0.0.0.255access-list 1 permit 172.16.3.0 0.0.0.255access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255access-list 101 remark SDM_ACL Category=17access-list 101 permit ahp any host 172.16.2.1access-list 101 permit esp any host 172.16.2.1access-list 101 permit udp any host 172.16.2.1 eq isakmpaccess-list 101 permit udp any host 172.16.2.1 eq non500-isakmpaccess-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 101 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 101 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 101 deny   ip 172.16.3.0 0.0.0.255 any logaccess-list 101 deny   ip host 255.255.255.255 any logaccess-list 101 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 101 deny   tcp any any range 1 chargen logaccess-list 101 deny   tcp any any eq whois logaccess-list 101 deny   tcp any any eq 93 logaccess-list 101 deny   tcp any any range 135 139 logaccess-list 101 deny   tcp any any eq 445 logaccess-list 101 deny   tcp any any range exec 518 logaccess-list 101 deny   tcp any any eq uucp logaccess-list 101 permit ip any anyaccess-list 102 deny   ip 172.16.2.0 0.0.0.255 any logaccess-list 102 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 102 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 102 deny   ip host 255.255.255.255 any logaccess-list 102 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 102 permit ip any anyaccess-list 103 deny   ip 172.16.2.0 0.0.0.255 anyaccess-list 103 deny   ip 10.0.0.0 0.0.15.255 anyaccess-list 103 deny   ip 172.16.3.0 0.0.0.255 anyaccess-list 103 deny   ip host 255.255.255.255 anyaccess-list 103 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 103 permit ip any anyaccess-list 104 permit udp host 205.152.132.23 eq domain anyaccess-list 104 permit udp host 205.152.144.23 eq domain anyaccess-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntpaccess-list 104 permit ahp any anyaccess-list 104 permit esp any anyaccess-list 104 permit udp any any eq isakmpaccess-list 104 permit udp any any eq non500-isakmpaccess-list 104 deny   ip 10.0.0.0 0.0.15.255 any logaccess-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 104 deny   ip 172.16.2.0 0.0.0.255 any logaccess-list 104 deny   ip 192.168.0.0 0.0.0.255 any logaccess-list 104 deny   ip 172.16.3.0 0.0.0.255 any logaccess-list 104 permit udp any eq bootps any eq bootpcaccess-list 104 permit icmp any any echo-replyaccess-list 104 permit icmp any any time-exceededaccess-list 104 permit icmp any any unreachableaccess-list 104 deny   icmp any any echo logaccess-list 104 deny   icmp any any mask-request logaccess-list 104 deny   icmp any any redirect logaccess-list 104 deny   ip 10.0.0.0 0.255.255.255 any logaccess-list 104 deny   ip 172.16.0.0 0.15.255.255 any logaccess-list 104 deny   ip 192.168.0.0 0.0.255.255 any logaccess-list 104 deny   ip 127.0.0.0 0.255.255.255 any logaccess-list 104 deny   ip 224.0.0.0 15.255.255.255 any logaccess-list 104 deny   ip host 255.255.255.255 any logaccess-list 104 deny   tcp any any range 6000 6063 logaccess-list 104 deny   tcp any any eq 6667 logaccess-list 104 deny   tcp any any range 12345 12346 logaccess-list 104 deny   tcp any any eq 31337 logaccess-list 104 deny   udp any any eq 2049 logaccess-list 104 deny   udp any any eq 31337 logaccess-list 104 deny   udp any any range 33400 34400 logaccess-list 104 deny   ip any any logaccess-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntpaccess-list 105 permit ahp host 10.0.0.2 host 10.0.0.1access-list 105 permit esp host 10.0.0.2 host 10.0.0.1access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmpaccess-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmpaccess-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftpaccess-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslogaccess-list 105 deny   ip 172.16.2.0 0.0.0.255 anyaccess-list 105 deny   ip 192.168.0.0 0.0.0.255 anyaccess-list 105 deny   ip 172.16.3.0 0.0.0.255 anyaccess-list 105 permit icmp any host 10.0.0.1 echo-replyaccess-list 105 permit icmp any host 10.0.0.1 time-exceededaccess-list 105 permit icmp any host 10.0.0.1 unreachableaccess-list 105 deny   ip 10.0.0.0 0.255.255.255 anyaccess-list 105 deny   ip 172.16.0.0 0.15.255.255 anyaccess-list 105 deny   ip 192.168.0.0 0.0.255.255 anyaccess-list 105 deny   ip 127.0.0.0 0.255.255.255 anyaccess-list 105 deny   ip host 255.255.255.255 anyaccess-list 105 deny   ip host 0.0.0.0 anyaccess-list 105 deny   ip any any logaccess-list 115 permit ip 172.16.0.0 0.0.255.255 anyaccess-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255access-list 120 permit ip 172.16.0.0 0.0.255.255 anysnmp-server community public ROipv6 route 2001:470:1F07:3B6::/64 FastEthernet0/1.2ipv6 route ::/0 Tunnel0!!!!control-plane!!!!!!!!!!line con 0line aux 0line vty 0 4 password 7  transport input sshline vty 5 903 transport input ssh!ntp clock-period 17180644ntp server 129.6.15.29 source FastEthernet0/0 prefer!end

ASA

: Saved:ASA Version 7.2(4) !hostname bambamdomain-name neocipher.netenable password asfsdf encryptedpasswd asdfasdfasd encryptednames!interface Vlan1 nameif inside security-level 100 ip address 172.31.12.1 255.255.255.0 !interface Vlan2 nameif outside security-level 0 pppoe client vpdn group ppoe ip address pppoe setroute !interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passivedns server-group DefaultDNS domain-name neocipher.netaccess-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.0.0 255.255.0.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list nonat extended permit ip 172.31.12.0 255.255.255.0 192.168.10.96 255.255.255.240 access-list nonat extended permit ip any 192.168.10.96 255.255.255.240 access-list VPNUSERS_splitTunnelAcl standard permit 172.31.12.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.31.1.0 255.255.255.0 access-list outside_3_cryptomap extended permit ip 172.31.12.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list VPNUSERS_splitTunnelAcl_1 standard permit 172.31.12.0 255.255.255.0 pager lines 24logging enablelogging asdm informationalmtu inside 1500mtu outside 1500ip local pool vpn-pool 192.168.10.100-192.168.10.110 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-524.binno asdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 0 access-list nonatnat (inside) 1 0.0.0.0 0.0.0.0timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteaaa authentication ssh console LOCAL http server enablehttp 0.0.0.0 0.0.0.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstartcrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 set pfs group1crypto dynamic-map outside_dyn_map 20 set transform-set 3DES-SHAcrypto dynamic-map outside_dyn_map 40 set pfs group1crypto dynamic-map outside_dyn_map 40 set transform-set 3DES-SHAcrypto dynamic-map outside_dyn_map 60 set pfs group1crypto dynamic-map outside_dyn_map 60 set transform-set 3DES-SHAcrypto dynamic-map outside_dyn_map 80 set pfs group1crypto dynamic-map outside_dyn_map 80 set transform-set 3DES-SHAcrypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs group1crypto map outside_map 2 set peer X.X.X.X crypto map outside_map 2 set transform-set 3DES-SHAcrypto map outside_map 3 match address outside_3_cryptomapcrypto map outside_map 3 set pfs group1crypto map outside_map 3 set peer 2.2.2.2 crypto map outside_map 3 set transform-set 3DES-SHAcrypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_mapcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400crypto isakmp policy 30 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400crypto isakmp nat-traversal  20telnet timeout 5ssh 0.0.0.0 0.0.0.0 insidessh 0.0.0.0 0.0.0.0 outsidessh timeout 5console timeout 0!dhcpd address 172.31.12.5-172.31.12.36 insidedhcpd dns 205.152.144.23 205.152.150.23 interface insidedhcpd enable inside! group-policy VPNUSERS internalgroup-policy VPNUSERS attributes dns-server value 205.152.144.23 vpn-tunnel-protocol IPSec  split-tunnel-policy tunnelspecified split-tunnel-network-list value VPNUSERS_splitTunnelAcl_1username ashields password asdfasdfads encrypted privilege 15username ashields attributes vpn-group-policy VPNUSERStunnel-group VPNUSERS type ipsec-ratunnel-group VPNUSERS general-attributes address-pool vpn-pool default-group-policy VPNUSERStunnel-group VPNUSERS ipsec-attributes pre-shared-key *tunnel-group X.X.X.X type ipsec-l2ltunnel-group X.X.X.X ipsec-attributes pre-shared-key *tunnel-group 2.2.2.2 type ipsec-l2ltunnel-group 2.2.2.2 ipsec-attributes pre-shared-key *!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny   inspect sunrpc   inspect xdmcp   inspect sip   inspect netbios   inspect tftp !service-policy global_policy globalprompt hostname context Cryptochecksum:de5d70ccd8ab55620d371d9c63bfcfb1: endasdm image disk0:/asdm-524.binasdm location 172.31.1.0 255.255.255.0 insideno asdm history enable