! Configure R3 to access Site-To-Site VPN
R3# conf terminal
R3(config)# crypto isakmp policy 1
R3(config-isakmp)# encr aes 256
R3(config-isakmp)# authentication pre-share
R3(config-isakmp)# group 2
R3(config-isakmp)# crypto isakmp key cisco address 192.168.0.254
R3(config-isakmp)# hash sha
R3(config-isakmp)# exit
R3(config)#crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
R3(config-if)#ip access-list extended CRYPTO
R3(config-ext-nacl)# permit ip host 3.3.3.3 10.0.0.0 0.0.0.255
R3(config-ext-nacl)# exit
R3(config)# crypto map MAP1 10 ipsec-isakmp
R3(config-crypto-map)# set peer 192.168.0.254
R3(config-crypto-map)# set transform-set ESP-AES-256-MD5
R3(config-crypto-map)# match address CRYPTO
R3(config-crypto-map)# exit
R3(config)# interface Loopback0
R3(config-if)# ip address 3.3.3.3 255.255.255.255
R3(config-if)# interface FastEthernet0/0
R3(config-if)# ip address 192.168.0.3 255.255.255.0
R3(config-if)# no shut
R3(config-if)# crypto map MAP1
! Configure ASA from ASDM To Access Site-To-Site VPN
! Monitor Site-To-Site VPN in ASDM
! Configuration before apply from ASDM To ASA:
access-list ouside_cryptomap line 1 extended permit ip 10.0.0.0 255.255.255.0 host 3.3.3.3
group-policy GroupPolicy-L2L-1 internal
group-policy GroupPolicy-L2L-1 attributes
vpn-tunnel-protocol ikev1
exit
tunnel-group 192.168.0.3 type ipsec-l2l
tunnel-group 192.168.0.3 general-attributes
default-group-policy GroupPolicy-L2L-1
tunnel-group 192.168.0.3 ipsec-attributes
ikev1 pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ikev1 enable ouside
crypto map ouside_map0 1 match address ouside_cryptomap
crypto map ouside_map0 1 set peer 192.168.0.3
crypto map ouside_map0 1 set ikev1 transform-set ESP-AES-256-MD5
crypto map ouside_map0 interface ouside
R3#ping 10.0.0.1 source 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 40/47/52 ms
R3#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
R3#show crypto ipsec transform-set
Transform set ESP-AES-256-MD5: { esp-256-aes esp-md5-hmac }
will negotiate = { Tunnel, },
R3#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.0.254 192.168.0.3 QM_IDLE 1001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R3#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: MAP1, local addr 192.168.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 192.168.0.254 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.0.3, remote crypto endpt.: 192.168.0.254
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD0E7B8F4(3504847092)
inbound esp sas:
spi: 0x75EC9F1C(1978441500)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: SW:1, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4577133/3572)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD0E7B8F4(3504847092)
transform: esp-256-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: SW:2, crypto map: MAP1
sa timing: remaining key lifetime (k/sec): (4577133/3571)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
! Logs when you configure Site-to-Site VPN on ASA
%ASA-6-302015: Built inbound UDP connection 203 for ouside:192.168.0.3/500 (192.168.0.3/500) to identity:192.168.0.254/500 (192.168.0.254/500)
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
%ASA-7-715047: IP = 192.168.0.3, processing SA payload
%ASA-7-713906: IP = 192.168.0.3, Oakley proposal is acceptable
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received NAT-Traversal RFC VID
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received NAT-Traversal ver 03 VID
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = 192.168.0.3, processing IKE SA payload
%ASA-7-715028: IP = 192.168.0.3, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 13
%ASA-7-715046: IP = 192.168.0.3, constructing ISAKMP SA payload
%ASA-7-715046: IP = 192.168.0.3, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 192.168.0.3, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
%ASA-7-715047: IP = 192.168.0.3, processing ke payload
%ASA-7-715047: IP = 192.168.0.3, processing ISA_KE payload
%ASA-7-715047: IP = 192.168.0.3, processing nonce payload
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received Cisco Unity client VID
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received DPD VID
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715038: IP = 192.168.0.3, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000f7f)
%ASA-7-715047: IP = 192.168.0.3, processing VID payload
%ASA-7-715049: IP = 192.168.0.3, Received xauth V6 VID
%ASA-7-715047: IP = 192.168.0.3, processing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.3, computing NAT Discovery hash
%ASA-7-715047: IP = 192.168.0.3, processing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.3, computing NAT Discovery hash
%ASA-7-715046: IP = 192.168.0.3, constructing ke payload
%ASA-7-715046: IP = 192.168.0.3, constructing nonce payload
%ASA-7-715046: IP = 192.168.0.3, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 192.168.0.3, constructing xauth V6 VID payload
%ASA-7-715048: IP = 192.168.0.3, Send IOS VID
%ASA-7-715038: IP = 192.168.0.3, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 192.168.0.3, constructing VID payload
%ASA-7-715048: IP = 192.168.0.3, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: IP = 192.168.0.3, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.3, computing NAT Discovery hash
%ASA-7-715046: IP = 192.168.0.3, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.3, computing NAT Discovery hash
%ASA-7-713906: IP = 192.168.0.3, Connection landed on tunnel_group 192.168.0.3
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, Generating keys for Responder...
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing ID payload
%ASA-7-714011: Group = 192.168.0.3, IP = 192.168.0.3, ID_IPV4_ADDR ID received 192.168.0.3
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715076: Group = 192.168.0.3, IP = 192.168.0.3, Computing hash for ISAKMP
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing notify payload
%ASA-6-713172: Group = 192.168.0.3, IP = 192.168.0.3, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
%ASA-7-713906: IP = 192.168.0.3, Connection landed on tunnel_group 192.168.0.3
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing ID payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing hash payload
%ASA-7-715076: Group = 192.168.0.3, IP = 192.168.0.3, Computing hash for ISAKMP
%ASA-7-715034: IP = 192.168.0.3, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing dpd vid payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
%ASA-6-113009: AAA retrieved default group policy (GroupPolicy-L2L-1) for user = 192.168.0.3
%ASA-5-713119: Group = 192.168.0.3, IP = 192.168.0.3, PHASE 1 COMPLETED
%ASA-7-713121: IP = 192.168.0.3, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 192.168.0.3, IP = 192.168.0.3, Starting P1 rekey timer: 82080 seconds.
%ASA-7-746012: user-identity: Add IP-User mapping 192.168.0.3 - LOCAL\192.168.0.3 Succeeded - VPN user
%ASA-7-714003: IP = 192.168.0.3, IKE Responder starting QM: msg id = a0cbd727
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=a0cbd727) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing SA payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing nonce payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing ID payload
%ASA-7-714011: Group = 192.168.0.3, IP = 192.168.0.3, ID_IPV4_ADDR ID received 3.3.3.3
%ASA-7-713025: Group = 192.168.0.3, IP = 192.168.0.3, Received remote Proxy Host data in ID Payload: Address 3.3.3.3, Protocol 0, Port 0
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing ID payload
%ASA-7-714011: Group = 192.168.0.3, IP = 192.168.0.3, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.255.255.0
%ASA-7-713034: Group = 192.168.0.3, IP = 192.168.0.3, Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 192.168.0.3, IP = 192.168.0.3, Static Crypto Map check, checking map = ouside_map0, seq = 1...
%ASA-7-713225: Group = 192.168.0.3, IP = 192.168.0.3, Static Crypto Map check, map ouside_map0, seq = 1 is a successful match
%ASA-7-713066: Group = 192.168.0.3, IP = 192.168.0.3, IKE Remote Peer configured for crypto map: ouside_map0
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing IPSec SA payload
%ASA-7-715027: Group = 192.168.0.3, IP = 192.168.0.3, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 1
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, IKE: requesting SPI!
%ASA-7-715006: Group = 192.168.0.3, IP = 192.168.0.3, IKE got SPI from key engine: SPI = 0xd1c761ae
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, oakley constucting quick mode
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing IPSec SA payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing IPSec nonce payload
%ASA-7-715001: Group = 192.168.0.3, IP = 192.168.0.3, constructing proxy ID
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, Transmitting Proxy Id:
Remote host: 3.3.3.3 Protocol 0 Port 0
Local subnet: 10.0.0.0 mask 255.255.255.0 Protocol 0 Port 0
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-714005: Group = 192.168.0.3, IP = 192.168.0.3, IKE Responder sending 2nd QM pkt: msg id = a0cbd727
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=a0cbd727) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=a0cbd727) with payloads : HDR + HASH (8) + NONE (0) total length : 52
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, loading all IPSEC SAs
%ASA-7-715001: Group = 192.168.0.3, IP = 192.168.0.3, Generating Quick Mode Key!
%ASA-7-715001: Group = 192.168.0.3, IP = 192.168.0.3, Generating Quick Mode Key!
%ASA-5-713049: Group = 192.168.0.3, IP = 192.168.0.3, Security negotiation complete for LAN-to-LAN Group (192.168.0.3) Responder, Inbound SPI = 0xd1c761ae, Outbound SPI = 0x909bd882
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x909BD882) between 192.168.0.254 and 192.168.0.3 (user= 192.168.0.3) has been created.
%ASA-7-715007: Group = 192.168.0.3, IP = 192.168.0.3, IKE got a KEY_ADD msg for SA: SPI = 0x909bd882
%ASA-7-746012: user-identity: Add IP-User mapping 192.168.0.3 - LOCAL\192.168.0.3 Succeeded - VPN user
%ASA-7-746012: user-identity: Add IP-User mapping 3.3.3.3 - LOCAL\192.168.0.3 Succeeded - VPN user
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD1C761AE) between 192.168.0.254 and 192.168.0.3 (user= 192.168.0.3) has been created.
%ASA-7-715077: Group = 192.168.0.3, IP = 192.168.0.3, Pitcher: received KEY_UPDATE, spi 0xd1c761ae
%ASA-7-715080: Group = 192.168.0.3, IP = 192.168.0.3, Starting P2 rekey timer: 3420 seconds.
%ASA-5-713120: Group = 192.168.0.3, IP = 192.168.0.3, PHASE 2 COMPLETED (msgid=a0cbd727)
%ASA-7-609001: Built local-host ouside:3.3.3.3
%ASA-6-302020: Built inbound ICMP connection for faddr 3.3.3.3/1(LOCAL\192.168.0.3) gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302020: Built outbound ICMP connection for faddr 3.3.3.3/1(LOCAL\192.168.0.3) gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/1(LOCAL\192.168.0.3) gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 3.3.3.3/1(LOCAL\192.168.0.3) gaddr 10.0.0.1/0 laddr 10.0.0.1/0
%ASA-7-609002: Teardown local-host ouside:3.3.3.3 duration 0:00:02
%ASA-7-715036: Group = 192.168.0.3, IP = 192.168.0.3, Sending keep-alive of type DPD R-U-THERE (seq number 0x1ee2e493)
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=62bcd37d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=1afc32e6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing notify payload
%ASA-7-715075: Group = 192.168.0.3, IP = 192.168.0.3, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x1ee2e493)
! Check Configuration
ASA(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.3
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
ASA(config)# show crypto ipsec sa
interface: ouside
Crypto map tag: ouside_map0, seq num: 1, local addr: 192.168.0.254
access-list ouside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 3.3.3.3
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer: 192.168.0.3
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.254/0, remote crypto endpt.: 192.168.0.3/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 909BD882
current inbound spi : D1C761AE
inbound esp sas:
spi: 0xD1C761AE (3519504814)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: ouside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/3470)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x909BD882 (2426132610)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: ouside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/3470)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Note: spi = Security Parameter index
ASA(config)# show run tunnel-group
tunnel-group 192.168.0.3 type ipsec-l2l
tunnel-group 192.168.0.3 general-attributes
default-group-policy GroupPolicy-L2L-1
tunnel-group 192.168.0.3 ipsec-attributes
ikev1 pre-shared-key *****
ASA(config)# show run crypto ! (Configuration By Default)
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map ouside_map0 1 match address ouside_cryptomap
crypto map ouside_map0 1 set peer 192.168.0.3
crypto map ouside_map0 1 set ikev1 transform-set ESP-AES-256-MD5
crypto map ouside_map0 interface ouside
crypto ikev1 enable ouside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
! Check SPI
ASA(config)# show crypto ipsec sa | in spi
current outbound spi: 8735FE5C
current inbound spi : 7D37CB44
spi: 0x7D37CB44 (2100808516)
spi: 0x8735FE5C (2268462684)
R3#show crypto ipsec sa | in spi
current outbound spi: 0x7D37CB44(2100808516)
spi: 0x8735FE5C(2268462684)
spi: 0x7D37CB44(2100808516)
! Start Telnet connection from Outside to Inside From R3-Loopback0 to R1 (Loopback 0-IP: 3.3.3.3)
R3#telnet 10.0.0.1 /source-interface lo 0
Trying 10.0.0.1 ... Open
R1>show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.0.1 - ca00.0c90.0008 ARPA FastEthernet0/0
Internet 10.0.0.254 188 00ab.f9d5.e201 ARPA FastEthernet0/0
ASA(config)# show local-host all | include ESP
ESP ouside 192.168.0.3 NP Identity Ifc192.168.0.254, idle 0:00:04, bytes 1596
ESP ouside 192.168.0.3 NP Identity Ifc192.168.0.254, idle 0:00:04, bytes 1472
ASA(config)# show local-host all | include :500
UDP ouside 192.168.0.3:500 NP Identity Ifc 192.168.0.254:500, idle 0:00:03, bytes 12016, flags -
UDP ouside 192.168.0.3:500 NP Identity Ifc 192.168.0.254:500, idle 0:00:03, bytes 12016, flags -
ASA(config)# show conn detail | in /23
TCP ouside:3.3.3.3/52106 inside:10.0.0.1/23
! Reset Tunnel
R3#clear crypto isakmp
R3#clear crypto sa
! Logs after removing Site-to-Site VPN Config
%ASA-7-715036: Group = 192.168.0.3, IP = 192.168.0.3, Sending keep-alive of type DPD R-U-THERE (seq number 0x7d46d8ea)
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=c8592144) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=a06902d4) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing notify payload
%ASA-7-715075: Group = 192.168.0.3, IP = 192.168.0.3, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7d46d8ea)
%ASA-7-715036: Group = 192.168.0.3, IP = 192.168.0.3, Sending keep-alive of type DPD R-U-THERE (seq number 0x7d46d8eb)
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=c6a023f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=8dd31b3a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing notify payload
%ASA-7-715075: Group = 192.168.0.3, IP = 192.168.0.3, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7d46d8eb)
%ASA-6-302014: Teardown TCP connection 164 for ouside:192.168.0.100/49253 to identity:192.168.0.254/443 duration 0:00:44 bytes 536 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49253 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49253 to 192.168.0.254/443 flags RST ACK on interface ouside
%ASA-6-302014: Teardown TCP connection 168 for ouside:192.168.0.100/49256 to identity:192.168.0.254/443 duration 0:00:44 bytes 521 TCP FINs
%ASA-6-302014: Teardown TCP connection 167 for ouside:192.168.0.100/49255 to identity:192.168.0.254/443 duration 0:00:44 bytes 406 TCP FINs
%ASA-7-715036: Group = 192.168.0.3, IP = 192.168.0.3, Sending keep-alive of type DPD R-U-THERE (seq number 0x7d46d8ec)
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=c930eddd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE RECEIVED Message (msgid=d58cba75) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing hash payload
%ASA-7-715047: Group = 192.168.0.3, IP = 192.168.0.3, processing notify payload
%ASA-7-715075: Group = 192.168.0.3, IP = 192.168.0.3, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x7d46d8ec)
%ASA-6-302013: Built inbound TCP connection 173 for ouside:192.168.0.100/49258 (192.168.0.100/49258) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49258 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49258 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49258
%ASA-6-605005: Login permitted from 192.168.0.100/49258 to ouside:192.168.0.254/https for user "admin"
%ASA-5-111007: Begin configuration: 192.168.0.100 reading from http [POST]
%ASA-5-111008: User 'admin' executed the 'no crypto ikev1 enable ouside' command.
%ASA-5-111010: User 'admin', running 'N/A' from IP 192.168.0.100, executed 'no crypto ikev1 enable ouside'
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, IKE SA MM:59e7a730 rcv'd Terminate: state MM_ACTIVE flags 0x0021c042, refcnt 1, tuncnt 1
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, sending delete/delete with reason message
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing IPSec delete payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=6bcb7dca) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, Active unit receives a delete event for remote peer 192.168.0.3.
%ASA-7-715009: Group = 192.168.0.3, IP = 192.168.0.3, IKE Deleting SA: Remote Proxy 3.3.3.3, Local Proxy 10.0.0.0
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, IKE SA MM:59e7a730 terminating: flags 0x0121c002, refcnt 0, tuncnt 0
%ASA-7-713906: Group = 192.168.0.3, IP = 192.168.0.3, sending delete/delete with reason message
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing blank hash payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing IKE delete payload
%ASA-7-715046: Group = 192.168.0.3, IP = 192.168.0.3, constructing qm hash payload
%ASA-7-713236: IP = 192.168.0.3, IKE_DECODE SENDING Message (msgid=4a3907f7) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-6-602304: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x75EC9F1C) between 192.168.0.254 and 192.168.0.3 (user= 192.168.0.3) has been deleted.
%ASA-6-602304: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD0E7B8F4) between 192.168.0.3 and 192.168.0.254 (user= 192.168.0.3) has been deleted.
%ASA-5-713259: Group = 192.168.0.3, IP = 192.168.0.3, Session is being torn down. Reason: Unknown
%ASA-7-746013: user-identity: Delete IP-User mapping 192.168.0.3 - LOCAL\192.168.0.3 Failed - VPN user logout
%ASA-7-746013: user-identity: Delete IP-User mapping 3.3.3.3 - LOCAL\192.168.0.3 Succeeded - VPN user logout
%ASA-4-113019: Group = 192.168.0.3, Username = 192.168.0.3, IP = 192.168.0.3, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:11m:19s, Bytes xmt: 400, Bytes rcv: 400, Reason: User Requested
%ASA-7-713906: Ignoring msg to mark SA with dsID 4096 dead because SA deleted
%ASA-7-715077: Pitcher: received key delete msg, spi 0xd0e7b8f4
%ASA-7-715077: Pitcher: received key delete msg, spi 0xd0e7b8f4
%ASA-5-111008: User 'admin' executed the 'clear configure crypto map ouside_map0' command.
%ASA-5-111010: User 'admin', running 'N/A' from IP 192.168.0.100, executed 'clear configure crypto map ouside_map0'
%ASA-7-713906: IKE Receiver ikev1 and ikev2 are disabled on <ouside>
%ASA-5-111008: User 'admin' executed the 'clear configure tunnel-group 192.168.0.3' command.
%ASA-5-111010: User 'admin', running 'N/A' from IP 192.168.0.100, executed 'clear configure tunnel-group 192.168.0.3'
%ASA-5-502112: Group policy deleted: name: GroupPolicy-L2L-1 Type: internal
%ASA-5-111008: User 'admin' executed the 'clear configure group-policy GroupPolicy-L2L-1' command.
%ASA-5-111010: User 'admin', running 'N/A' from IP 192.168.0.100, executed 'clear configure group-policy GroupPolicy-L2L-1'
%ASA-5-111008: User 'admin' executed the 'no access-list ouside_cryptomap line 1 extended permit ip 10.0.0.0 255.255.255.0 host 3.3.3.3' command.
%ASA-5-111010: User 'admin', running 'N/A' from IP 192.168.0.100, executed 'no access-list ouside_cryptomap line 1 extended permit ip 10.0.0.0 255.255.255.0 host 3.3.3.3'
%ASA-6-302014: Teardown TCP connection 173 for ouside:192.168.0.100/49258 to identity:192.168.0.254/443 duration 0:00:00 bytes 250 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49258 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 175 for ouside:192.168.0.100/49259 (192.168.0.100/49259) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49259 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49259 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49259
%ASA-6-605005: Login permitted from 192.168.0.100/49259 to ouside:192.168.0.254/https for user "admin"
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49258 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49259 terminated.
%ASA-6-302014: Teardown TCP connection 175 for ouside:192.168.0.100/49259 to identity:192.168.0.254/443 duration 0:00:00 bytes 3790 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49259 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 177 for ouside:192.168.0.100/49260 (192.168.0.100/49260) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49260 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49260 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49260
%ASA-6-605005: Login permitted from 192.168.0.100/49260 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302014: Teardown TCP connection 177 for ouside:192.168.0.100/49260 to identity:192.168.0.254/443 duration 0:00:00 bytes 277 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49260 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 179 for ouside:192.168.0.100/49261 (192.168.0.100/49261) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49261 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49261 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49261
%ASA-6-605005: Login permitted from 192.168.0.100/49261 to ouside:192.168.0.254/https for user "admin"
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49260 terminated.
%ASA-6-302014: Teardown TCP connection 179 for ouside:192.168.0.100/49261 to identity:192.168.0.254/443 duration 0:00:01 bytes 775 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49261 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 181 for ouside:192.168.0.100/49262 (192.168.0.100/49262) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49262 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49262 request to resume previous session.
%ASA-6-302013: Built inbound TCP connection 182 for ouside:192.168.0.100/49263 (192.168.0.100/49263) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49262
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49263 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49263 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49263
%ASA-6-605005: Login permitted from 192.168.0.100/49263 to ouside:192.168.0.254/https for user "admin"
%ASA-6-605005: Login permitted from 192.168.0.100/49262 to ouside:192.168.0.254/https for user "admin"
%ASA-6-606003: ASDM logging session number 0 from 192.168.0.100 started
%ASA-6-302014: Teardown TCP connection 182 for ouside:192.168.0.100/49263 to identity:192.168.0.254/443 duration 0:00:00 bytes 277 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49263 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 184 for ouside:192.168.0.100/49264 (192.168.0.100/49264) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49264 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49264 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49264
%ASA-6-605005: Login permitted from 192.168.0.100/49264 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302014: Teardown TCP connection 184 for ouside:192.168.0.100/49264 to identity:192.168.0.254/443 duration 0:00:00 bytes 379 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49264 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 186 for ouside:192.168.0.100/49265 (192.168.0.100/49265) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49265 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49265 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49265
%ASA-6-605005: Login permitted from 192.168.0.100/49265 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302014: Teardown TCP connection 186 for ouside:192.168.0.100/49265 to identity:192.168.0.254/443 duration 0:00:00 bytes 379 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49265 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 188 for ouside:192.168.0.100/49266 (192.168.0.100/49266) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49266 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49266 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49266
%ASA-6-605005: Login permitted from 192.168.0.100/49266 to ouside:192.168.0.254/https for user "admin"
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49261 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49263 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49264 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49265 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49266 terminated.
%ASA-6-302014: Teardown TCP connection 188 for ouside:192.168.0.100/49266 to identity:192.168.0.254/443 duration 0:00:00 bytes 3032 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49266 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 190 for ouside:192.168.0.100/49267 (192.168.0.100/49267) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49267 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49267 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49267
%ASA-6-605005: Login permitted from 192.168.0.100/49267 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302014: Teardown TCP connection 190 for ouside:192.168.0.100/49267 to identity:192.168.0.254/443 duration 0:00:00 bytes 277 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49267 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 192 for ouside:192.168.0.100/49268 (192.168.0.100/49268) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49268 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49268 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49268
%ASA-6-605005: Login permitted from 192.168.0.100/49268 to ouside:192.168.0.254/https for user "admin"
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49267 terminated.
%ASA-6-302014: Teardown TCP connection 192 for ouside:192.168.0.100/49268 to identity:192.168.0.254/443 duration 0:00:00 bytes 10678 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49268 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 194 for ouside:192.168.0.100/49269 (192.168.0.100/49269) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49269 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49269 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49269
%ASA-6-605005: Login permitted from 192.168.0.100/49269 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302013: Built inbound TCP connection 195 for ouside:192.168.0.100/49270 (192.168.0.100/49270) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49270 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49270 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49270
%ASA-6-605005: Login permitted from 192.168.0.100/49270 to ouside:192.168.0.254/https for user "admin"
%ASA-5-111008: User 'admin' executed the 'dir disk0:/dap.xml' command.
%ASA-5-111010: User 'admin', running 'CLI' from IP 0.0.0.0, executed 'dir disk0:/dap.xml'
%ASA-6-302014: Teardown TCP connection 195 for ouside:192.168.0.100/49270 to identity:192.168.0.254/443 duration 0:00:00 bytes 361 TCP Reset-O
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.100/49270 to 192.168.0.254/443 flags FIN ACK on interface ouside
%ASA-6-302013: Built inbound TCP connection 197 for ouside:192.168.0.100/49271 (192.168.0.100/49271) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49271 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49271 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49271
%ASA-6-605005: Login permitted from 192.168.0.100/49271 to ouside:192.168.0.254/https for user "admin"
%ASA-6-302013: Built inbound TCP connection 198 for ouside:192.168.0.100/49272 (192.168.0.100/49272) to identity:192.168.0.254/443 (192.168.0.254/443)
%ASA-6-725001: Starting SSL handshake with client ouside:192.168.0.100/49272 for TLSv1 session.
%ASA-6-725003: SSL client ouside:192.168.0.100/49272 request to resume previous session.
%ASA-6-725002: Device completed SSL handshake with client ouside:192.168.0.100/49272
%ASA-6-605005: Login permitted from 192.168.0.100/49272 to ouside:192.168.0.254/https for user "admin"
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49268 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49269 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49270 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49271 terminated.
%ASA-6-725007: SSL session with client ouside:192.168.0.100/49272 terminated.
%ASA-4-711004: Task ran for 104 msec, Process = Unicorn Admin Handler, PC = 8ec5773, Call stack = 0x08ec59da 0x095a78d8 0x08b7d704 0x0854d4b3 0x08bd9f5f 0x08bd9f8c 0x08a73645 0x08a6c00b 0x08b7ce53 0x08b7cefd 0x0848b19c 0x084858bc 0x08485cdc 0x08486006
%ASA-4-711004: Task ran for 70 msec, Process = Unicorn Admin Handler, PC = 8ec5773, Call stack =
