我在新的站点到站点 VPN 上没有看到任何方向的流量。(另外两个很好)我看不出有什么问题。
:
ASA Version 9.2(4)13
!
hostname wss
domain-name xxxxxxxxxxxx.com
enable password qJtG/3webvseVHy/m encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.xxx.xxx.250 255.255.255.248
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxxxxxx.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network 209.xxx.xxx.249
host 209.xxx.xxx.249
object network NETWORK_OBJ_10.100.100.0_24
subnet 10.100.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.100.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.0.0_24 NETWORK_OBJ_192.168.0.0_24 destination static NETWORK_OBJ_10.100.100.0_24 NETWORK_OBJ_10.100.100.0_24 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 209.xxx.xxx.249 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 71.xxx.xxx.34
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.0.20-192.168.0.70 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_71.xxx.xxx.34 internal
group-policy GroupPolicy_71.xxx.xxx.34 attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 71.xxx.xxx.34 type ipsec-l2l
tunnel-group 71.xxx.xxx.34 general-attributes
default-group-policy GroupPolicy_71.xxx.xxx.34
tunnel-group 71.xxx.xxx.34 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a50bb6e11ewrgertgba5362d09896cd2
: end
这是另一面:
:
: Serial Number: JMXXXXXX03M
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)13
!
hostname ortho
domain-name xxxxxxxxxx.com
enable password y4Cbeg45a6TNeJj encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd lWz.HrbgH8Pg2vLY encrypted
names
ip local pool mypool 192.168.19.10-192.168.19.20 mask 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.100.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 71.xxx.xxx.34 255.255.255.248
!
boot system disk0:/asa924-13-k8.bin
boot system disk0:/asa924-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name xxxxxxxx.com
same-security-traffic permit intra-interface
object network obj-10.100.100.0
subnet 10.100.100.0 255.255.255.0
object network obj-10.100.101.0
subnet 10.100.101.0 255.255.255.0
object network obj-192.168.19.0
subnet 192.168.19.0 255.255.255.0
object network obj-192.168.20.0
subnet 192.168.20.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-10.100.200.0
subnet 10.100.200.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.32_27
subnet 192.168.1.32 255.255.255.224
object network NETWORK_OBJ_192.168.19.0_27
subnet 192.168.19.0 255.255.255.224
object network NETWORK_OBJ_10.100.100.0_24
subnet 10.100.100.0 255.255.255.0
object network 192.168.19.0
subnet 192.168.19.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object-group service allowedports tcp
port-object eq https
port-object eq smtp
port-object eq www
access-list tovergennes extended permit ip 10.100.100.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list nonat extended permit ip 10.100.100.0 255.255.255.0 10.100.101.0 255.255.255.0
access-list nonat extended permit ip 10.100.100.0 255.255.255.0 object 192.168.19.0
access-list nonat extended permit ip 10.100.100.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list split standard permit 10.100.100.0 255.255.255.0
access-list split standard permit 10.100.200.0 255.255.255.0
access-list split standard permit 10.100.101.0 255.255.255.0
access-list allowin extended permit gre any4 any4
access-list allowin extended permit ip object obj-10.100.100.0 object obj-192.168.19.0
access-list outside_cryptomap_30 extended permit ip 10.100.100.0 255.255.255.0 10.100.200.0 255.255.255.0
access-list inside_access_out extended deny tcp 10.100.100.0 255.255.255.0 any eq smtp
access-list outside_cryptomap_2 extended permit ip 10.100.100.0 255.255.255.0 192.168.0.0 255.255.255.0
no pager
logging enable
logging buffered debugging
logging asdm notifications
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static obj-10.100.100.0 obj-10.100.100.0 destination static obj-10.100.101.0 obj-10.100.101.0 no-proxy-arp
nat (inside,any) source static obj-10.100.100.0 obj-10.100.100.0 destination static 192.168.19.0 192.168.19.0 no-proxy-arp
nat (inside,any) source static obj-10.100.100.0 obj-10.100.100.0 destination static obj-192.168.19.0 obj-192.168.19.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-10.100.100.0 obj-10.100.100.0 destination static obj-192.168.20.0 obj-192.168.20.0 no-proxy-arp
nat (inside,any) source static obj-10.100.100.0 obj-10.100.100.0 destination static obj-10.100.200.0 obj-10.100.200.0 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.1.32_27 NETWORK_OBJ_192.168.1.32_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.100.100.0_24 NETWORK_OBJ_10.100.100.0_24 destination static NETWORK_OBJ_192.168.19.0_27 NETWORK_OBJ_192.168.19.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_out out interface inside
access-group allowin in interface outside
route outside 0.0.0.0 0.0.0.0 71.xxx.xxx.33 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable 5555
http 10.100.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal myset
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
protocol esp encryption aes
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
protocol esp encryption aes-192
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
protocol esp encryption aes-256
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
protocol esp encryption des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
protocol esp encryption des
protocol esp integrity md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-
SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map mymap 1 match address outside_cryptomap_2
crypto map mymap 1 set peer 209.xxx.xxx.250
crypto map mymap 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map mymap 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256 myset ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA
crypto map mymap 20 match address toes
crypto map mymap 20 set peer 64.xxx.xxx.145
crypto map mymap 20 set ikev1 transform-set myset
crypto map mymap 20 set ikev2 ipsec-proposal myset
crypto map mymap 30 match address outside_cryptomap_30
crypto map mymap 30 set peer 69.xxx.xxx.14
crypto map mymap 30 set ikev1 transform-set myset
crypto map mymap 30 set ikev2 ipsec-proposal myset
crypto map mymap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map mymap interface outside
crypto ca trustpoint VPN
enrollment terminal
subject-name CN=ortho
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=10.100.100.252,CN=ortho
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate 8b2a9757
3082022f 30820198 a0030201 0202048b 2a975730 0d06092a 864886f7 0d010105
0500305c 31133011 06035504 03130a6d 6964646c 65627572 79311730 15060355
0403130e 31302e31 30302e31 30302e32 3532312c 302a0609 2a864886 f70d0109
02161d6d 6964646c 65627572 792e6275 726c696e 67746f6e 64727567 2e636f6d
301e170d 31363037 32393135 31373434 5a170d32 36303732 37313531 3734345a
305c3113 30110603 55040313 0a6d6964 646c6562 75727931 17301506 03550403
130e3130 2e313030 2e313030 2e323532 312c302a 06092a86 4886f70d 01090216
1d6d6964 646c6562 7572792e 6275726c 696e6774 6f6e6472 75672e63 6f6d3081
9f300d06 092a8648 86f70d01 03442eee 03818d00 30818902 818100d1 018faa97
bf6b8ae0 8ce5d37b 5c6f433c c6d70271 f1c1115e 4daa2b7f d1cd2ea7 158aa154
239b4229 d8147393 ec8637e6 d7ff2ccf 6a719c67 764b71ba 0750eb2e b40e18e0
a45899ce 2dcf23b8 91d9684c 2c617a01 3cb98e1c 772daec7 2c996780 f1fa7fe5
b01c22dc a27cbb08 e1353d10 fdf97ba1 1e6a23ed bf92f11e ac956b02 03010001
300d0609 2a864886 f70d0101 05050003 818100ab 76aeb2f2 ccc9d166 3cb2f21a
488b9639 69142eb9 6a2ff4c9 c95abde6 f0ebc4f2 e0e559f1 71fb927e cc208449
86f7a8da fa90fd87 a6b1c2af 032ba70e b3df42bf d2edd591 2f1ee61b c7815f55
d5cd9bab 0b4fce88 a91905dc da035584 e538febd f5413f3b 3508a721 77cb021a
881126e1 9f93508e 3c923447 7f54b12c 1b6a6d
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet 10.100.100.0 255.255.255.255 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-sessiondb max-other-vpn-limit 10
vpn-sessiondb max-anyconnect-premium-or-essentials-limit 2
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address 10.100.100.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.100.101.0 255.255.255.0
threat-detection scanning-threat shun except ip-address 10.100.200.0 255.255.255.0
threat-detection scanning-threat shun duration 3600
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
no anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.14018-k9.pkg 1
anyconnect profiles RemoteAccessIKEv2_client_profile disk0:/RemoteAccessIKEv2_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 120
webvpn
anyconnect ssl keepalive none
anyconnect dpd-interval client none
anyconnect dpd-interval gateway none
anyconnect ssl compression deflate
customization value DfltCustomization
group-policy GroupPolicy_RemoteUsers internal
group-policy GroupPolicy_RemoteUsers attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2
default-domain value burlingtondrug.com
group-policy GroupPolicy_RemoteAccessIKEv2 internal
group-policy GroupPolicy_RemoteAccessIKEv2 attributes
wins-server none
dns-server value 10.100.100.4
vpn-tunnel-protocol ikev2 ssl-clientless
default-domain value phsrx.local
webvpn
anyconnect profiles value RemoteAccessIKEv2_client_profile type user
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_209.xxx.xxx.250 internal
group-policy GroupPolicy_209.xxx.xxx.250 attributes
vpn-tunnel-protocol ikev1 ikev2
group-policy marble internal
group-policy marble attributes
wins-server value 10.100.100.4
dns-server value 10.100.100.4
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
username llauf password drnUg2FB/kwVbg5S encrypted
username llauf attributes
service-type nas-prompt
username gregs password SgGYd9kk/N7wNpyb encrypted
username gregs attributes
service-type nas-prompt
username phsrx password LFjGdPBp3.PJH2wz encrypted privilege 15
username kathyd password 0y8FY/jATMgQeSNR encrypted
username kathyd attributes
service-type nas-prompt
username dianeg password ZEpP2RmvIWwlezst encrypted
username dianeg attributes
service-type nas-prompt
username anetap password mjdjyXum3raO74y3 encrypted
username anetap attributes
service-type nas-prompt
username mboise password DHv.i0NLnFnAH2sR encrypted
username mboise attributes
service-type nas-prompt
tunnel-group 64.xxx.xxx.145 type ipsec-l2l
tunnel-group 64.xxx.xxx.145 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group marble type remote-access
tunnel-group marble general-attributes
address-pool mypool
default-group-policy marble
tunnel-group marble ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 69.xxx.xxx.14 type ipsec-l2l
tunnel-group 69.xxx.xxx.14 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 209.xxx.xxx.250 type ipsec-l2l
tunnel-group 209.xxx.xxx.250 general-attributes
default-group-policy GroupPolicy_209.xxx.xxx.250
tunnel-group 209.xxx.xxx.250 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group RemoteAccessIKEv2 type remote-access
tunnel-group RemoteAccessIKEv2 general-attributes
address-pool mypool
default-group-policy GroupPolicy_RemoteAccessIKEv2
tunnel-group RemoteAccessIKEv2 webvpn-attributes
group-alias RemoteAccessIKEv2 enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:74fc0f94854gete59566de608cafc