Wednesday, March 27, 2013

BLOCKING URL'S AND INSTANT MESSENGER IN ASA Example



BLOCKING URL'S AND INSTANT MESSENGER IN ASA  Example

 
 
 
 ASA Configuration
interface Ethernet0/0
nameif outside
 security-level 0
 ip address 192.168.137.2 255.255.255.0
no shut
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
no shut

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.137.1


 URLs to be block with domain name  like facebook

regex url1 "facebook.com"
regex url2 "myspace.com"
regex url4 "twitter.com"


Create Class map by name urleg in order to match the domain names to be blocked

class-map type regex match-any urlreg
match regex url1
match regex url2
match regex url4


Inspecting  http traffic by  the name http_url_policy  

class-map type inspect http match-all http_url_policy
match request header host regex class urlreg


Inspecting  IM traffic by the name im-traffic

class-map type inspect im match-all im-traffic
match protocol msn-im yahoo-im

Create ACL of the interesting traffic for http

access-list http permit tcp any any eq 80

Create ACL of the interesting traffic for IM

access-list 101 line 1 extended deny ip 192.168.1.0 255.255.255.0 any
access-list 101 extended permit ip any any

Create a class by the name http-inspection to capture http interesting traffic and assign access-list i.e http

class-map http-inspection
match access-list http

Create a class by the name im_inspection to capture IM interesting traffic and assign access-list i.e 101

class-map im_inspection
match access-list 101

Create Http inspection policy by the name http_policy and map class-map i.e  http_url_policy

policy-map type inspect http http_policy
parameters
class http_url_policy
drop-connection

Create IM inspection policy by the name im_policy and map class-map ie im-traffic

policy-map type inspect im im-policy
parameters
class im-traffic
drop-connection log

Create policy-map by the name block-url-im and Map the inspection policy-map to the class

policy-map block-url-im
class http-inspection
inspect http http_policy
class im_inspection
inspect im im-policy

 Applying  service policy and mapping policy-map i.e block-url-im  onto interface to take effect

service-policy block-url-im interface outside

Saturday, March 23, 2013

Site to site IP-Sec VPN tunnel between ASA and Cisco Router,Example


 Site to site IP-Sec VPN tunnel between ASA and Cisco Router,Example



ASA Configuration

 ciscoasa# show run

!

hostname ASA

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 11.11.11.10 255.255.255.0

no shut

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.11.1 255.255.255.0

no shut

!

access-list ACL-RED-VPN extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0

!
nat (inside) 0 access-list ACL-INSIDE-NONAT

route outside 0.0.0.0 0.0.0.0 11.11.11.11 1

!
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN

crypto map MAP-OUTSIDE 20 set peer 11.11.11.11

crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA

crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000

crypto map MAP-OUTSIDE interface outside

crypto isakmp enable outside

crypto isakmp policy 5

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 36400

!

tunnel-group 11.11.11.11 type ipsec-l2l

tunnel-group 11.11.11.11 ipsec-attributes

 pre-shared-key  123456

prompt hostname context

: end

ciscoasa#

 

Branchoffice Router configuration

Branchoffice#show run

Building configuration...

 !

hostname Branchoffice

!
crypto isakmp policy 5

 encr aes

 authentication pre-share

 group 2

crypto isakmp key 123456 address 11.11.11.10

!

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto map VPN-TUNNEL 1 ipsec-isakmp

 set peer 11.11.11.10

 set transform-set AES-SHA

 match address ACL-VPN

!

interface Ethernet1/0

 ip address 11.11.11.11 255.255.255.0

crypto map VPN-TUNNEL

no shut

!

interface Ethernet1/1

 ip address 172.16.22.1 255.255.255.0

no shut

!

ip route 0.0.0.0 0.0.0.0 11.11.11.10

 !
ip access-list extended ACL-VPN

 permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255

!
end

Branchoffice#

Saturday, March 9, 2013

Basic ASA Usename and Password Configuration Example


Creating username and password  and use this local username to authenticate for SSH Connections

ciscoasa(config)# username user1 password user1

ciscoasa(config)# crypto key generate rsa modulus 1024

ciscoasa(config)#aaa authentication ssh console LOCAL

ciscoasa (config)#ssh 192.168.1.0 255.255.255.255 inside

 
Enabling  telnet on ASA for telnet connection

ciscoasa(config)#telnet 192.168.1.0 255.255.255.255 inside

ciscoasa(config)#passwd test

ciscoasa(config)#enable password test1
 

Enable remote management with the following command

ciscoasa(config)#management-access inside
 

Enable the HTTP server for ASDM connection

ciscoasa (config)# http server enable
ciscoasa (config)# http 192.168.1.0 255.255.255.255 inside
 

Configuring clock settings:

ciscoasa(config)# clock set 12:00:00 jan 10 2013
 

Configuring Network time protocol

ciscoasa(config)#ntp server 192.168.1.10  source inside
 

configure Authentication using the Local username databse:

ciscoasa(config) username user2 password user2

ciscoasa(config) aaa authentication serial console LOCAL

ciscoasa(config) aaa authentication telnet console LOCAL

ciscoasa(config) aaa authentication ssh console LOCAL

ciscoasa(config) aaa authentication enablel console LOCAL

Tuesday, February 12, 2013

EXAMPLE Configuring ASA 8.2 FOR MULIPLE IPSEC SITE 2 SITE VPN ,REMOTE IPSEC VPN,SSL VPN ,SPLIT-TUNNEL,VPN FILTER, NAT, ALLOWING INSIDE WEBSERVER TO ACCESS FROM INTERNET

 
 
 

ISP  ROUTER

ISP#show run

Building configuration...

 

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ISP

 

!

ip subnet-zero

ip domain-name lab.local

 

!

interface Ethernet0/0

 ip address 10.1.1.10 255.255.255.0

no shut

 no ip directed-broadcast

!

interface Ethernet0/1

 ip address 10.1.2.10 255.255.255.0

no shut

 

 no ip directed-broadcast

!

interface Ethernet0/2

 ip address 10.1.3.10 255.255.255.0

no shut

 

 no ip directed-broadcast

!

interface Ethernet0/3

 ip address 100.1.1.1 255.255.255.0

no shut

 

 no ip directed-broadcast

!

ip classless

no ip http server

!

!

line con 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

 transport input none

line aux 0

 exec-timeout 0 0

 privilege level 15

 logging synchronous

line vty 0 4

 password test

 login

!

end

 

ISP#

 

HO- ASA

HO(config)# show run

: Saved

:

ASA Version 8.0(2)

!

Configuring hostname

hostname HO

enable password 8Ry2YjIyt7RRXU24 encrypted

names

 

Configuring  name

name 192.168.1.10 Router-inside

name 192.168.4.5 Remote-user1

!

Configuring  outside interface

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 10.1.1.1 255.255.255.0

no shut

 

!

Configuring  inside interface

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

no shut

 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

configuring  nat0 exception access-list, for BO1 

access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

configuring  nat0 exception  access-list, for BO2

access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

configuring  nat0 exception  access-list, for VPN Clients

access-list nat0 extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0

Configuring crypto access-list, to associate  with BO1 crypto map

access-list crypto extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Configuring crypto access-list, to associate  with BO2 crypto map

access-list crypto2 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

Configuring splitunnel access-list, for VPN Clients

access-list splitunnel standard permit 192.168.1.0 255.255.255.0

Configuring  VPNFILTER12 access-list  ,this will allow host 192.168.2.10 from BO1 to telnet Router  192.168.1.10 inside the HO and allow  192.168.1.10  router in HO1  to telnet 192.168.2.10  router in  BO1

access-list VPNFILTER12 extended permit tcp host 192.168.2.10 eq telnet host Router-inside

access-list VPNFILTER12 extended permit tcp host 192.168.2.10 host Router-inside eq telnet

Configuring VPNFILTER12 access-list, this will allow 192.168.1.11 router in HO to telnet 192.168.2.11 in BO1

access-list VPNFILTER12 extended permit tcp host 192.168.2.11 eq telnet host 192.168.1.11

This access-list allow webserver 10.1.1.56  which is natted to inside host to access from  internet

access-list outside-in extended permit tcp any host 10.1.1.56 eq www

This access-list allow to telnet  10.1.1.56  which is natted to inside host to access from  internet

access-list outside-in extended permit tcp any host 10.1.1.56 eq telnet

This  access-list limits vpn user1  to  telnet  router 192.168.1.10 (router-inside)

access-list limited-access-4-vpn-user extended permit tcp host Remote-user1 host Router-inside eq telnet

pager lines 24

mtu outside 1500

mtu inside 1500

Creating  dhcp pool for remote vpn users

ip local pool vpn-pool 192.168.4.1-192.168.4.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

configuring dynamic nat address  on outside interface

global (outside) 1 10.1.1.50-10.1.1.55 netmask 255.255.255.255

configuring  nat0 exception to avoid natting for site-site vpn and remote access vpn

nat (inside) 0 access-list nat0

natting inside address  

nat (inside) 1 192.168.1.0 255.255.255.255

Configuring static NAT  It creates a mapping between an address on the outside and the address of the server on the inside. Users on the outside can then access the server on the insdie via the outside address (any one can access web server form internet)

static (inside,outside) tcp 10.1.1.56 www 192.168.1.20 www netmask 255.255.255.255

Configuring static NAT  It creates a mapping between an address on the outside and the address of the server on the inside. Users on the outside can then access the server on the insdie via the outside address (any one can telnet  form internet)

static (inside,outside) tcp 10.1.1.56 telnet 192.168.1.20 telnet netmask 255.255.255.255

Assigning  access-list on outside interface

access-group outside-in in interface outside

Creating route to ISP  to  access  internet from inside

route outside 0.0.0.0 0.0.0.0 10.1.1.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

Enabling ASDM access  and allowing too access from inside

http server enable

http 192.168.1.15 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

PHASE 2 OF IPSEC VPN

Configure transform-set by name transform1 for site to site VPN

crypto ipsec transform-set transform1 esp-aes-192 esp-sha-hmac

Configure transform-set by name vpn-rs  for remote user VPN

crypto ipsec transform-set vpn-rs esp-des esp-sha-hmac

Configure transform-set by name vpn-rs1  for remote user VPN

 crypto ipsec transform-set vpn-rs1 esp-des esp-md5-hmac

crypto dynamic-map dyn-map 20 set pfs

creating crypto dynamic-map  by name dyn-map and sequence number 20  and associate it with transport-set vpn-rs and vpn-rs1

crypto dynamic-map dyn-map 20 set transform-set vpn-rs vpn-rs1

creating crypto map by name mymap and sequence number 2 and associating  access-list crypto with it

crypto map mymap 2 match address crypto

Associate crypto map mymap 2 with peer ip address 10.1.2.1

crypto map mymap 2 set peer 10.1.2.1

Associate crypto map mymap 2 with transform-set transform1

crypto map mymap 2 set transform-set transform1

creating crypto map by name mymap and sequence number 3 and associating access-list crypto2 with it

crypto map mymap 3 match address crypto2

Associate crypto map mymap 3 with peer ip address 10.1.3.1

crypto map mymap 3 set peer 10.1.3.1

Associate crypto map mymap 3 with transform-set transform1

crypto map mymap 3 set transform-set transform1

creating crypto map by name mymap and sequence number 20  and associate dynamic crypto map  dyn-map with it

crypto map mymap 20 ipsec-isakmp dynamic dyn-map

enabling mymap cryptomap on outside interface

crypto map mymap interface outside

 
PHASE 1 OF IPSEC VPN

 
enabling isakmp policy on outside interface

crypto isakmp enable outside

creating crypto isakmp policy and sequence number 20 

crypto isakmp policy 10

Defining authentication i.e. pre-share key

 authentication pre-share

Defining encryption i.e. aes

 encryption aes

Defining hashing i.e.  sha

 hash sha

Defining Diffie-Helman  group i.e. group 2

 group 2

Defining VPN Lifetime i.e. 3600 sec

 lifetime 3600

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

enabling any connect VPN  access on ASA

webvpn

Enable client less VPN connection on outside interface

enable outside

Assigning any connect image

 svc image disk0:/anyconnect-win-2.4.1012-k9.pkg 1

Without this command any connect won't work

 svc enable

creating group-policy by name  SSLCLientPolicy

group-policy SSLCLientPolicy internal

configuring  attributes for  SSLCLientPolicy

group-policy SSLCLientPolicy attributes

Assigning dns-server for  SSLCLientPolicy attributes

 dns-server value 192.168.1.100

Assigning vpn-tunnel-protocol    for  SSLCLientPolicy attributes

 vpn-tunnel-protocol svc

enabling split-tunneling

 split-tunnel-policy tunnelspecified

Assigning access-list splittunnel  to split-tunnel-network for  SSLCLientPolicy attributes

 split-tunnel-network-list value splitunnel

Assigning domain name for  SSLCLientPolicy attributes

 default-domain value test.com

Assigning dhcp for  SSLCLientPolicy attributes

 address-pools value vpn-pool

 

creating group-policy 10.1.2.1 for site-site vpn  between HO and BO1

group-policy 10.1.2.1 internal

configuring  attributes for  group-policy 10.1.2.1

group-policy 10.1.2.1 attributes

adding vpn-filter with access list VPNFILTER12 to  10.1.2.1  attributes

 vpn-filter value VPNFILTER12

 

creating group-policy for IPsec vpn users by name  company-vpn-policy

group-policy company-vpn-policy internal

configuring  attributes for  group-policy company-vpn-policy

group-policy company-vpn-policy attributes

Assigning dna server ip address to  company-vpn-policy  attributes

 dns-server value 192.168.1.100

Assigning idel time out i.e. 30 sec  to  company-vpn-policy  attributes

 vpn-idle-timeout 30

enabling split-tunneling

 split-tunnel-policy tunnelspecified

Assigning access-list splittunnel  to split-tunnel-network for company-vpn-policy  attributes

 split-tunnel-network-list value splitunnel

 

creating anyconnect user by name ssl1 to connect to any connec vpn

username ssl1 password ssl1

configuring  ssl1 user  attributes

username ssl1 attributes

assigning  vpn-group-policy i.e. SSLCLientPolicy  for ssl1 user  attributes

 vpn-group-policy SSLCLientPolicy

assigning  vpn-tunnel-protocol i.e. svc  for ssl1 user  attributes

  vpn-tunnel-protocol svc

assigning service-type remote-access

 service-type remote-access

creating user for asdm access

username test password test privilege 15

creating ipsec remote VPN user by name user1

username user1 password test

configuring  user1 user  attributes

username user1 attributes

assigning  vpn-group-policy i.e. company-vpn-policy for user1 user  attributes

 vpn-group-policy company-vpn-policy

assigning  vpn-filter access-list  i.e. limited-access-4-vpn-user for user1 user  attributes

 vpn-filter value limited-access-4-vpn-user

assigning  vpn-tunnel-protocol i.e. IPSEC  for user1 user  attributes

 vpn-tunnel-protocol IPSec

assigning ip address for user1 whenever it connect using IPSec VPN ASA will assign   192.168.4.5 IP address

 vpn-framed-ip-address 192.168.4.5 255.255.255.0

locking user1 to a group i.e.  vpn

 group-lock value vpn

creating tunnel-group for HO site-site BO1 vpn  i.e 10.1.2.1

tunnel-group 10.1.2.1 type ipsec-l2l

configure  tunnel-group  10.1.2.1 general-attributes

tunnel-group 10.1.2.1 general-attributes

assigning default-group-policy 10.1.2.1 general-attributes  i.e. 10.1.2.1

 

 default-group-policy 10.1.2.1

configuring  tunnel-group 10.1.2.1 ipsec-attributes

tunnel-group 10.1.2.1 ipsec-attributes

configuring pre-shared key for  10.1.2.1 ipsec-attributes

 pre-shared-key  123456

creating tunnel-group for HO site-site BO2 vpn  i.e 10.1.3.1

tunnel-group 10.1.3.1 type ipsec-l2l

configuring  tunnel-group 10.1.3.1 ipsec-attributes

tunnel-group 10.1.3.1 ipsec-attributes

configuring pre-shared key for  10.1.3.1 ipsec-attributes

 pre-shared-key  123456

 

creating  tunnel-group by name vpn for ipsec remote-access vpn

tunnel-group vpn type remote-access

configuring  tunnel-group vpn general-attributes

tunnel-group vpn general-attributes

assigning dhcp address-pool i.e. vpn-pool to  vpn general-attributes

 address-pool vpn-pool

assigning default-group-policy i.e. company-vpn-policy to  vpn general-attributes

 default-group-policy company-vpn-policy

configuring  tunnel-group vpn  ipsec-attributes

tunnel-group vpn ipsec-attributes

 pre-shared-key 123456

 

creating  tunnel-group by name SSLClientProfile for anyconnect vpn users

tunnel-group SSLClientProfile type remote-access

configuring  tunnel-group SSLClientProfile general-attributes

tunnel-group SSLClientProfile general-attributes

assigning default-group-policy i.e. SSLCLientPolicy to  SSLClientProfile general-attributes

 default-group-policy SSLCLientPolicy

configuring  SSLClientProfile webvpn-attributes to  select a group alias that displays in the group list on the WebVPN Login page

tunnel-group SSLClientProfile webvpn-attributes

enabling  SSLVPNClient group-alias

 group-alias SSLVPNClient enable

 

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

HO(config)#

 

 

BO1- ASA

 BO1# show run

: Saved

:

ASA Version 8.0(2)

!

hostname BO1

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 10.1.2.1 255.255.255.0

no shut

 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.2.1 255.255.255.0

no shut

 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Configuring  VPNFILTER12 access-list  ,this will allow host 192.168.1.10 from HO to telnet Router  192.168.2.10 inside the BO1 and allow  192.168.2.10  router in BO1  to telnet 192.168.1.10  router in  HO

access-list VPNFILTER12 extended permit tcp host 192.168.1.10 host 192.168.2.10 eq telnet

access-list VPNFILTER12 extended permit tcp host 192.168.1.10 eq telnet host 192.168.2.10

This VPNFILTER12 access-list, allow 192.168.1.11 router in HO to telnet 192.168.2.11 in BO1

access-list VPNFILTER12 extended permit tcp host 192.168.1.11 host 192.168.2.11 eq telnet

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-603.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nat0

route outside 0.0.0.0 0.0.0.0 10.1.2.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.15 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set transform1 esp-aes-192 esp-sha-hmac

crypto map mymap 2 match address crypto

crypto map mymap 2 set peer 10.1.1.1

crypto map mymap 2 set transform-set transform1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 3600

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

group-policy 10.1.1.1 internal

group-policy 10.1.1.1 attributes

 vpn-filter value VPNFILTER12

username test password P4ttSyrm33SV8TYp encrypted privilege 15

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 general-attributes

 default-group-policy 10.1.1.1

tunnel-group 10.1.1.1 ipsec-attributes

 pre-shared-key 123456

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

BO1#

 
BO2- ASA

BO2# show run

: Saved

:

ASA Version 8.0(2)

!

hostname BO2

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 10.1.3.1 255.255.255.0

no shut

 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 192.168.3.1 255.255.255.0

no shut

 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/4

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/5

 shutdown

 no nameif

 no security-level

 no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list nat0 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list crypto extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list nat0

route outside 0.0.0.0 0.0.0.0 10.1.3.10 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set transform1 esp-aes-192 esp-sha-hmac

crypto map mymap 2 match address crypto

crypto map mymap 2 set peer 10.1.1.1

crypto map mymap 2 set transform-set transform1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 3600

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

!

tunnel-group 10.1.1.1 type ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes

 pre-shared-key 123456

prompt hostname context

Cryptochecksum:00000000000000000000000000000000

: end

BO2#