IT Blogs & News - Written by IT Professionals - iuvo Technologies

HUB and SPOKE VPNs WITH CISCO ASA and ASDM

Written by Edwin Perkins | Mar 12, 2019 7:23:03 PM

After a number of Internet searches, it seems all advice and examples of hub and spoke VPNs using Cisco ASA firewalls are configured from the command line. Folks who manage ASA firewalls using Cisco’s ASDM tool must be out of luck. Well, that is not true, if this is something you need to do, read on.

This post will explain how to setup a hub and spoke VPN between three sites, with one site acting as the hub using ASDM. All configurations will be done with ASDM. Also, each of the three sites will have two sub networks that are passed through the VPN tunnel, to show how that works.

Please note, the network architecture used for this example is designed to illustrate the hub and spoke VPN concept, and probably not the best way to build a WAN. Unless one is certain the remote sites will always be very small, a better approach would be to allocate /16 networks (larger networks that contain multiple sub-networks) to each site on the VPN, and then subdivide them with a layer 3 switch internally. It would keep the firewall rules simpler, and as the number of sites increases, would have a compounding positive effect on the overall VPN configuration.

In this example we have three offices we need to network together. The hub office in Chicago, and two satellite offices in Boston and Phoenix. We will start with configuring the Chicago firewall first, as it is the most complex, and then move on to the satellites. We will also assume the firewalls are already configured and have connectivity to each other through the Internet.

 

Where to Begin

We need some information to begin:

  • The Chicago office has two subnets, VLAN1: 10.0.3.0/24 and VLAN2: 10.0.4.0/24 with a layer 3 switch that has two VLAN interfaces with IP addresses of 10.0.3.1 and 10.0.4.1 and a Cisco ASA firewall with and inside address of 10.0.3.254 and an outside address of 192.168.2.1.
  • The Boston office has two subnets, VLAN1: 10.0.1.0/24 and VLAN2: 10.0.2.0/24 with a layer 3 switch that has two VLAN interfaces with IP addresses of 10.0.1.1 and 10.0.2.1 and a Cisco ASA firewall with and inside address of 10.0.1.254 and an outside address of 192.168.1.1.
  • The Phoenix office has two subnets, VLAN1: 10.0.5.0/24 and VLAN2: 10.0.6.0/24 with a layer 3 switch that has two VLAN interfaces with IP addresses of 10.0.5.1 and 10.0.6.1 and a Cisco ASA firewall with and inside address of 10.0.5.254 and an outside address of 192.168.3.1.
  • Every VPN tunnel needs a share secret password, for Chicago – Boston, we will use “supersecretCB1!” and for Chicago – Phoenix we will use “supersecretCP2!”. For real applications a longer passphrase should be used.

To start we need to create clearly named network objects and network object groups that accurately describe our network. ASDM will automatically create network objects, but it will quickly get confusing which is which, so the time taken at the beginning to manually create these will have a large pay off later. This is the most important step - properly setup network object groups are key to the hub and spoke setup working, and will make future changes MUCH easier.

 

 

From the network diagram above we should create the following Network Objects on every firewall:

  • Host bostonfw 192.168.1.1
  • Host chicagofw 192.168.2.1
  • Host phoenixfw 192.168.3.1
  • Network bostonvlan1 10.0.1.0/24
  • Network bostonvlan2 10.0.2.0/24
  • Network chicagovlan1 10.0.3.0/24
  • Network chicagovlan2 10.0.4.0/24
  • Network phoenixvlan1 10.0.5.0/24
  • Network phonexvlan2 10.0.6.0/24

We also need the following Network Object Groups on all firewalls:

  • BostonNetworks: bostonvlan1, bostonvlan2
  • ChicagoNetworks: chicagovlan1, chicagovlan2
  • PhoenixNetworks: phoenixvlan1, phonexvlan2

On the hub firewall, chicagofw we need to add the two Network Object Groups:

  • ToBoston: ChicagoNetworks, PhoenixNetworks
  • ToPhoenix: ChicagoNetworks, BostonNetworks

With the above information we can build the tunnels on the Chicago firewall; open ASDM and connect to the hub firewall.

(In the screen shot below, we have configured the Management interface on each firewall with addresses in the 172.23.183.x range for simplicity of access to the devices.)

 

 

 

 

 

 

 

 

 

 

 

 

Click Configuration, and click Firewall.

Under Addresses on the right click Add.

 

 

Add the above objects, repeating the process for each object.

 

 

When done, ASDM should look like the above image.

Now we are ready to create the tunnels to Boston and Phoenix on the Chicago firewall.

To do this go to “Site-to-Site VPN” on the lower left corner.

 

 

Click “Wizards” in top menu bar and select “VPN Wizards” - “Site-to-site VPN Wizard”.

Now we will work with the Site-to-site VPN Connection Setup Wizard.

 

 

First we need to enter the Internet address (outside interface) of the Boston Cisco ASA firewall.

Then click Next.

 

 

This is the critical step, for the Local Network we need to specify the Network Object Group that contains ALL of the subnets that will be SENT TO the far end of the VPN. The Remote Network must be a Network Object Group containing ALL of the subnets received from the far end of the VPN. In our example, on the Chicago hub firewall, the local network is ToBoston and the Remote Network is BostonNetworks.

 

 

Enter our pre-shared key “supersecretCB1!” without the quotes.

Then click Next.

 

 

Be certain to check “Exempt ASA side host/network from address translation” and select the “inside” interface. This tells the firewall to pass the inside addresses on to the other sites with the VPN network.

Then click Next.

 

 

Finally the wizard will summarize the configuration, clicking Finish will configure the firewall.

 

 

Now repeat the above process for Phoenix, changing 192.168.1.1 to 192.168.3.1, “ToBoston” as the local network to “ToPhoenix”, and the shared key to “supersecretCP2!” without the quotes. The summary for the Phoenix tunnel should look like the image below.

 

 

Once the tunnels are built the hub firewall, chicagofw in our example, must have “Enable traffic between two or more hosts connected to the same interface” checked, as shown below.

 

 

That completes the hub firewall configuration. Now we need to setup and configure each of the site firewalls.

We will start with the Phoenix site firewall, phoenixfw.

As stated above, all of the network objects that are on the Chicago (hub) firewall need to be configured on the Phoenix (and Boston) firewalls as well. This is actually an excellent example of how working with the configuration files directly can be beneficial, as the objects could be copied from Chicago, and pasted into the Phoenix configuration.

Create these network objects in the same manner as for the Chicago firewall above.

  • Host bostonfw 192.168.1.1
  • Host chicagofw 192.168.2.1
  • Host phoenixfw 192.168.3.1
  • Network bostonvlan1 10.0.1.0/24
  • Network bostonvlan2 10.0.2.0/24
  • Network chicagovlan1 10.0.3.0/24
  • Network chicagovlan2 10.0.4.0/24
  • Network phoenixvlan1 10.0.5.0/24
  • Network phonexvlan2 10.0.6.0/24

We also need the following Network Object Groups:

  • BostonNetworks: bostonvlan1, bostonvlan2
  • ChicagoNetworks: chicagovlan1, chicagovlan2
  • PhoenixNetworks: phoenixvlan1, phonexvlan2

The single area of difference is a Network Object Group to contain the subnets at the far end of the VPN. As Phoenix will have only a single VPN connection we can create a single Network Object Group (RemoteNetworks) that contains both the ChicagoNetworks and BostonNetworks network object groups.

 

 

Once all of the network objects, and network object groups are configured we can run the site-to-site VPN Connection Setup Wizard as before.

 

 

This time enter the IP address of the outside (Internet connected) interface of the Chicago firewall.

 

 

For the local network, use the PhoenixNetworks network object group.

 

 

The remote network should be the RemoteNetworks network object group containing the ChicagoNetworks, and BostonNetworks network object groups.

 

Check “Simple Configuration” and use “supersecretCP2!” for the pre-shared Key.

 

 

“Exempt ASA side host/network from address translation” should be checked, and the inside network interface should be chosen in the drop down box.

 

 

After confirming the summary information show is correct, click Finish.

 

 

The configuration of the Phoenix side of the VPN is complete at this point. Next Boston should be set up similarly to Phoenix.

 

On the Boston Cisco ASA firewall create these network objects in the same manner as for the Chicago and Phoenix firewalls above.

  • Host bostonfw 192.168.1.1
  • Host chicagofw 192.168.2.1
  • Host phoenixfw 192.168.3.1
  • Network bostonvlan1 10.0.1.0/24
  • Network bostonvlan2 10.0.2.0/24
  • Network chicagovlan1 10.0.3.0/24
  • Network chicagovlan2 10.0.4.0/24
  • Network phoenixvlan1 10.0.5.0/24
  • Network phonexvlan2 10.0.6.0/24

We also need the following Network Object Groups:

  • BostonNetworks: bostonvlan1, bostonvlan2
  • ChicagoNetworks: chicagovlan1, chicagovlan2
  • PhoenixNetworks: phoenixvlan1, phonexvlan2

As with the Phoenix firewall we will have only a single VPN connection so we can create a single Network Object Group (RemoteNetworks) that contains both the ChicagoNetworks and PhoenixNetworks network object groups.

 

 

Once all of the network objects, and network object groups are configured we can run the site-to-site VPN Connection Setup Wizard as before.

 

 

This time enter the IP address of the outside (Internet connected) interface of the Chicago firewall.

 

 

For the local network, enter the BostonNetworks Network Object Group.

 

 

The remote network should be the RemoteNetworks network object group containing the ChicagoNetworks, and PhoenixNetworks network object groups.

 

 

 

Check “Simple Configuration” and use “supersecretCB1!” for the pre-shared Key.

 

 

“Exempt ASA side host/network from address translation” should be checked, and the inside network interface should be chosen in the drop down box.

 

 

After confirming the summary information show is correct, click Finish.

 

 

Next Steps

At this point the complete VPN network is setup. Traffic should pass from Boston through Chicago to Phoenix, and the reverse as well. If something isn’t working test whether traffic can make it from Boston to Chicago, and Phoenix to Chicago. If each site can connect to Chicago, confirm that “Enable traffic between two or more hosts connected to the same interface” is checked. Also, check that the Network Objects are properly setup.

To add a subnet to any of the sites, an addition network object would need to be created on every firewall, and the added to the appropriate network object group. Likewise, if additional sites need to be added, each subnet in the new site(s) would need to be added as network objects, additional network object groups would need to be created, and this must be done on every firewall. Configuration of the VPN would need to be added to Chicago as the Boston and Phoenix sites were done, and configure the other end similarly as well.

The complete firewall configurations are:

Chicago

hostname chicagofw

domain-name network.test

enable password $sha512$5000$95GdiyV3F+BpM7/Oe+yqOQ==$z/ijxUgrZPy7PQdRMhvvkA== pbkdf2

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

 

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.2.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.3.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.122.12 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name network.test

same-security-traffic permit intra-interface

object network bostonfw

host 192.168.1.1

object network chicagofw

host 192.168.2.1

object network phoenixfw

host 192.168.3.1

object network bostonvlan1

subnet 10.0.1.0 255.255.255.0

object network bostonvlan2

subnet 10.0.2.0 255.255.255.0

object network chicagovlan1

subnet 10.0.3.0 255.255.255.0

object network chicagovlan2

subnet 10.0.4.0 255.255.255.0

object network phoenixvlan1

subnet 10.0.5.0 255.255.255.0

object network phoenixvlan2

subnet 10.0.6.0 255.255.255.0

object-group network BostonNetworks

network-object object bostonvlan1

network-object object bostonvlan2

object-group network ChicagoNetworks

network-object object chicagovlan1

network-object object chicagovlan2

object-group network PhoenixNetworks

network-object object phoenixvlan1

network-object object phoenixvlan2

object-group network ToBoston

group-object ChicagoNetworks

group-object PhoenixNetworks

object-group network ToPhoenix

group-object BostonNetworks

group-object ChicagoNetworks

access-list outside_cryptomap extended permit ip object-group ToBoston object-group BostonNetworks

access-list outside_cryptomap_1 extended permit ip object-group ToPhoenix object-group PhoenixNetworks

pager lines 23

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static ToBoston ToBoston destination static BostonNetworks BostonNetworks no-proxy-arp route-lookup

nat (inside,outside) source static ToPhoenix ToPhoenix destination static PhoenixNetworks PhoenixNetworks no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

route inside 10.0.4.0 255.255.255.0 10.0.3.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 172.23.183.0 255.255.255.0 management

http 192.168.122.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 192.168.1.1

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 2 match address outside_cryptomap_1

crypto map outside_map 2 set peer 192.168.3.1

crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 513fb9743870b73440418d30930699ff

30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30

0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30

09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f

72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275

7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c

61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230

0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca

1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b

037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203

7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c

ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee

b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a

6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26

4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a

16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100

01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006

03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e

636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630

2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474

703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60

86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f

7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230

1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906

03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350

4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a

b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3

4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649

dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722

2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16

2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd

e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382

e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d

4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de

30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41

a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 172.23.183.0 255.255.255.0 management

ssh 192.168.122.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_192.168.1.1 internal

group-policy GroupPolicy_192.168.1.1 attributes

vpn-tunnel-protocol ikev1 ikev2

group-policy GroupPolicy_192.168.3.1 internal

group-policy GroupPolicy_192.168.3.1 attributes

vpn-tunnel-protocol ikev1 ikev2

dynamic-access-policy-record DfltAccessPolicy

username cisco password $sha512$5000$TfKSE18g/9ZQ1FhvxWkO4A==$ueuWs2LAYWTKxLk9MkDBEQ== pbkdf2

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 general-attributes

default-group-policy GroupPolicy_192.168.1.1

tunnel-group 192.168.1.1 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group 192.168.3.1 type ipsec-l2l

tunnel-group 192.168.3.1 general-attributes

default-group-policy GroupPolicy_192.168.3.1

tunnel-group 192.168.3.1 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ip-options

inspect netbios

inspect rtsp

inspect sunrpc

inspect tftp

inspect xdmcp

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect sip

inspect skinny

inspect icmp

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:f37393814615c404c084bcac7ce93b74

: end

no asdm history enable

 

 

Phoenix

 

hostname phoenixfw

domain-name test3.local

enable password $sha512$5000$yfecPlE0yth9cihT6taoHQ==$l6pkC6kYNRhCO5+lBeA7Mw== pbkdf2

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

 

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.3.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.5.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.122.13 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name test3.local

object network bostonfw

host 192.168.1.1

object network chicagofw

host 192.168.2.1

object network phoenixfw

host 192.168.3.1

object network bostonvlan1

subnet 10.0.1.0 255.255.255.0

object network bostonvlan2

subnet 10.0.2.0 255.255.255.0

object network chicagovlan1

subnet 10.0.3.0 255.255.255.0

object network chicagovlan2

subnet 10.0.4.0 255.255.255.0

object network phoenixvlan1

subnet 10.0.5.0 255.255.255.0

object network phoenixvlan2

subnet 10.0.6.0 255.255.255.0

object-group network BostonNetworks

network-object object bostonvlan1

network-object object bostonvlan2

object-group network ChicagoNetworks

network-object object chicagovlan1

network-object object chicagovlan2

object-group network PhoenixNetworks

network-object object phoenixvlan1

network-object object phoenixvlan2

object-group network RemoteNetworks

description Networks on the other side of the VPN

group-object BostonNetworks

group-object ChicagoNetworks

access-list outside_cryptomap extended permit ip object-group PhoenixNetworks object-group RemoteNetworks

pager lines 23

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static PhoenixNetworks PhoenixNetworks destination static RemoteNetworks RemoteNetworks no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.3.2 1

route inside 10.0.6.0 255.255.255.0 10.0.5.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 172.23.183.0 255.255.255.0 management

http 192.168.122.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 192.168.2.1

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 513fb9743870b73440418d30930699ff

30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30

0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30

09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f

72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275

7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c

61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230

0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca

1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b

037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203

7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c

ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee

b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a

6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26

4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a

16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100

01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006

03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e

636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630

2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474

703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60

86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f

7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230

1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906

03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350

4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a

b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3

4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649

dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722

2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16

2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd

e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382

e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d

4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de

30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41

a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 172.23.183.0 255.255.255.0 management

ssh 192.168.122.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_192.168.2.1 internal

group-policy GroupPolicy_192.168.2.1 attributes

vpn-tunnel-protocol ikev1 ikev2

dynamic-access-policy-record DfltAccessPolicy

username cisco password $sha512$5000$YzlPDymaAmsdTkbs+YDDjA==$BXP3zn4AkX4Ng2ZFurl74g== pbkdf2

tunnel-group 192.168.2.1 type ipsec-l2l

tunnel-group 192.168.2.1 general-attributes

default-group-policy GroupPolicy_192.168.2.1

tunnel-group 192.168.2.1 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect ip-options

inspect netbios

inspect rtsp

inspect sunrpc

inspect tftp

inspect xdmcp

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect esmtp

inspect sqlnet

inspect sip

inspect skinny

inspect icmp

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:ceac2a1c63a80801559c18d35b9c342d

: end

no asdm history enable

 

 

Boston

 

hostname bostonfw

domain-name network.test

enable password $sha512$5000$+PEqt+JyI7ryzhYgW3VDtA==$vh19Pv8bQQIUWivLDe1h+w== pbkdf2

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

 

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.0.1.254 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 0

ip address 192.168.122.11 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name network.test

same-security-traffic permit intra-interface

object network bostonfw

host 192.168.1.1

object network chicagofw

host 192.168.2.1

object network phoenixfw

host 192.168.3.1

object network bostonvlan1

subnet 10.0.1.0 255.255.255.0

object network bostonvlan2

subnet 10.0.2.0 255.255.255.0

object network chicagovlan1

subnet 10.0.3.0 255.255.255.0

object network chicagovlan2

subnet 10.0.4.0 255.255.255.0

object network phoenixvlan1

subnet 10.0.5.0 255.255.255.0

object network phoenixvlan2

subnet 10.0.6.0 255.255.255.0

object-group network BostonNetworks

network-object object bostonvlan1

network-object object bostonvlan2

object-group network ChicagoNetworks

network-object object chicagovlan1

network-object object chicagovlan2

object-group network PhoenixNetworks

network-object object phoenixvlan1

network-object object phoenixvlan2

object-group network RemoteNetworks

description Networks on the other side of the VPN

group-object ChicagoNetworks

group-object PhoenixNetworks

access-list outside_cryptomap_1 extended permit ip object-group BostonNetworks object-group RemoteNetworks

pager lines 23

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (inside,outside) source static BostonNetworks BostonNetworks destination static RemoteNetworks RemoteNetworks no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic any interface

route outside 0.0.0.0 0.0.0.0 192.168.1.2 1

route inside 10.0.2.0 255.255.255.0 10.0.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 172.23.183.0 255.255.255.0 management

http 192.168.122.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap_1

crypto map outside_map 1 set peer 192.168.2.1

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map outside_map interface outside

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

auto-import

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 513fb9743870b73440418d30930699ff

30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30

0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30

09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f

72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275

7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c

61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230

0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca

1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b

037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203

7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c

ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee

b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a

6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26

4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a

16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100

01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006

03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e

636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630

2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474

703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60

86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f

7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230

1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906

03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350

4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a

b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3

4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649

dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722

2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16

2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd

e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382

e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d

4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de

30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41

a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh stricthostkeycheck

ssh 172.23.183.0 255.255.255.0 management

ssh 192.168.122.0 255.255.255.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy GroupPolicy_192.168.2.1 internal

group-policy GroupPolicy_192.168.2.1 attributes

vpn-tunnel-protocol ikev1 ikev2

dynamic-access-policy-record DfltAccessPolicy

username cisco password $sha512$5000$rKklTMuIsBG9QavDzsYBfg==$0oHlRCC60+yY0cVvYMmLqQ== pbkdf2

tunnel-group 192.168.2.1 type ipsec-l2l

tunnel-group 192.168.2.1 general-attributes

default-group-policy GroupPolicy_192.168.2.1

tunnel-group 192.168.2.1 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect icmp

policy-map type inspect dns migrated_dns_map_2

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

profile License

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination transport-method http

Cryptochecksum:ec71af31f7fd4ce550f2c3b2472fde9c

: end

no asdm history enable

While many people prefer using the command interface for configuring Cisco ASAs, it is also possible to use ASDM for more complex configurations. If this is something you would like assistance with, an iuvo Technologies network engineer would be happy to assist.

 

For further assistance and informational content, check out the latest blogs below: