Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ASA1# show ipsec sa peer 1.2.3.4
- peer address: 1.2.3.4
- Crypto map tag: OUTSIDE_map, seq num: 1, local addr: 9.8.7.6
- access-list OUTSIDE_cryptomap_2 extended permit ip 192.168.242.0 255.255.255.0 192.168.244.0 255.255.255.0
- local ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
- remote ident (addr/mask/prot/port): (192.168.244.0/255.255.255.0/0/0)
- current_peer: 1.2.3.4
- #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
- #pkts decaps: 1428, #pkts decrypt: 1428, #pkts verify: 1428
- #pkts compressed: 0, #pkts decompressed: 0
- #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
- #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
- #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
- #TFC rcvd: 0, #TFC sent: 0
- #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
- #send errors: 0, #recv errors: 0
- local crypto endpt.: 9.8.7.6/500, remote crypto endpt.: 1.2.3.4/500
- path mtu 1500, ipsec overhead 55(36), media mtu 1500
- PMTU time remaining (sec): 0, DF policy: copy-df
- ICMP error validation: disabled, TFC packets: disabled
- current outbound spi: CB3A6309
- current inbound spi : 5E3D8A13
- inbound esp sas:
- spi: 0x5E3D8A13 (1581091347)
- transform: esp-aes-gcm-256 esp-null-hmac no compression
- in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
- slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
- sa timing: remaining key lifetime (sec): 2676
- IV size: 8 bytes
- replay detection support: Y
- Anti replay bitmap:
- 0xFFFFFFFF 0xFFFFFFFF
- outbound esp sas:
- spi: 0xCB3A6309 (3409601289)
- transform: esp-aes-gcm-256 esp-null-hmac no compression
- in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
- slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
- sa timing: remaining key lifetime (sec): 2676
- IV size: 8 bytes
- replay detection support: Y
- Anti replay bitmap:
- 0x00000000 0x00000001
- 939: 20:11:44.438591 0023.ab3f.8255 24e9.b315.cddf 0x0800 Length: 89
- 192.168.244.114.51353 > 192.168.242.200.53: [no cksum] udp 47 [tos 0x10] (ttl 63, id 8826) Drop-reason: (acl-drop) Flow is denied by configured rule
- ASA1# show running-config crypto map
- crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2
- crypto map OUTSIDE_map 1 set pfs group14
- crypto map OUTSIDE_map 1 set peer 1.2.3.4
- crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal AESGCM
- crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
- crypto map OUTSIDE_map 1 set nat-t-disable
- crypto map OUTSIDE_map 2 match address OUTSIDE_cryptomap_3
- crypto map OUTSIDE_map 2 set pfs group14
- crypto map OUTSIDE_map 2 set peer 5.6.7.8
- crypto map OUTSIDE_map 2 set ikev2 ipsec-proposal AESGCM
- crypto map OUTSIDE_map 2 set security-association lifetime seconds 3600
- crypto map OUTSIDE_map 2 set nat-t-disable
- crypto map OUTSIDE_map interface OUTSIDE
- ASA1# show running-config access-list OUTSIDE_cryptomap_2
- access-list OUTSIDE_cryptomap_2 extended permit ip object NOC-network object Victoria-network
- ASA1# show running-config access-list OUTSIDE_cryptomap_3
- access-list OUTSIDE_cryptomap_3 extended permit ip object NOC-network object Toronto-network
- ASA1# show running-config nat
- nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Victoria-network Victoria-network no-proxy-arp route-lookup
- nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Toronto-network Toronto-network no-proxy-arp route-lookup
- ASA1# show running-config tunnel-group
- tunnel-group 1.2.3.4 type ipsec-l2l
- tunnel-group 1.2.3.4 general-attributes
- default-group-policy GroupPolicy_Victoria
- tunnel-group 1.2.3.4 ipsec-attributes
- ikev1 pre-shared-key *****
- ikev2 remote-authentication pre-shared-key *****
- ikev2 local-authentication pre-shared-key *****
- tunnel-group 5.6.7.8 type ipsec-l2l
- tunnel-group 5.6.7.8 general-attributes
- default-group-policy GroupPolicy_Toronto
- tunnel-group 5.6.7.8 ipsec-attributes
- ikev1 pre-shared-key *****
- isakmp keepalive threshold 15 retry 2
- ikev2 remote-authentication pre-shared-key *****
- ikev2 local-authentication pre-shared-key *****
- ASA1# show running-config crypto ikev2
- crypto ikev2 policy 2
- encryption aes-gcm-256
- integrity null
- group 21 24
- prf sha512
- lifetime seconds 28800
- crypto ikev2 policy 3
- encryption aes-256
- integrity sha512
- group 21 24
- prf sha512
- lifetime seconds 28800
- crypto ikev2 enable OUTSIDE
- ASA1# show running-config crypto ipsec
- crypto ipsec ikev2 ipsec-proposal AES256-SHA512
- protocol esp encryption aes-256
- protocol esp integrity sha-512
- crypto ipsec ikev2 ipsec-proposal AESGCM
- protocol esp encryption aes-gcm-256
- protocol esp integrity sha-512
- crypto ipsec ikev2 sa-strength-enforcement
- crypto ipsec security-association pmtu-aging infinite
- #ASA1 show running-config all sysopt
- no sysopt traffic detailed-statistics
- no sysopt connection timewait
- sysopt connection tcpmss 1380
- sysopt connection tcpmss minimum 0
- sysopt connection permit-vpn
- sysopt connection reclassify-vpn
- no sysopt connection preserve-vpn-flows
- no sysopt radius ignore-secret
- no sysopt noproxyarp OUTSIDE
- no sysopt noproxyarp INSIDE
- no sysopt noproxyarp DMZ1
- no sysopt noproxyarp management
- in id=0x7fff370d6450, priority=70, domain=ipsec-tunnel-flow, deny=false
- hits=17302, user_data=0x8e0d6a4, **cs_id=0x7fff36c15af0**, reverse, flags=0x0, protocol=0
- src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
- dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
- input_ifc=outside, output_ifc=any
- in id=0x7fff3d48dda0, priority=70, domain=ipsec-tunnel-flow, deny=false
- hits=0, user_data=0xaaf9b0c, **cs_id=0x7fff38d9d080**, reverse, flags=0x0, protocol=0
- src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
- dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
- input_ifc=outside, output_ifc=any
Add Comment
Please, Sign In to add comment
