Cisco ASA 5520
Cisco ASA 5520
Cisco ASA 5520
Application Notes for Configuring a Site-to-Site IPsec VPN Tunnel between a Cisco ASA5520 and a NETGEAR FVS338 in Support of the Avaya A175 Desktop Video Device and Multi-modal Communication Issue 1.1
Abstract
These Application Notes describe the necessary steps to configure a Site-to-Site IPsec VPN tunnel between a Cisco ASA5520 and a NETGEAR FVS338. The Cisco device is representative of a VPN gateway located at a Corporate Data Center while the NETGEAR was used to represent the Home Office user. The VPN tunnel is expected to be able to support multi-modal communication between an Avaya A175 Desktop Video Device on one end of the tunnel and various Avaya endpoints and services at the other end of the tunnel. The endpoints include additional A175DVDs, Avaya one-X Communicator (SIP & H.323 versions) and the 9600 one-X Deskphone SIP Edition. Services that are supplied at the corporate location included Call Processing, SIP routing, Conferencing, Voice Messaging, and Presence.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
1 of 47 ASA5520FVS338
5.
ADMINISTERAVAYAAURACOMMUNICATIONMANAGER......................................................................12 5.1. VERIFYNETWORKREGIONFORSIPSIGNALINGGROUP......................................................................................... 2 1 5.2. ADMINISTERIPNETWORKMAP...................................................................................................................... 2 1 5.3. ADMINISTERIPNETWORKREGIONS.................................................................................................................. 3 1 5.3.1. AdministerIPNetworkRegion1.......................................................................................................... 3 1 5.3.2. AdministerIPNetworkRegions2and3............................................................................................... 4 1 5.4. ADMINISTERIPCODECSETS............................................................................................................................ 5 1
6.
CONFIGURETHECISCOASA5520..............................................................................................................16 6.1. 6.2. 6.3. 6.4. 6.5. CONFIGUREETHERNETINTERFACES................................................................................................................... 6 1 CONFIGURETHEVPNTUNNEL......................................................................................................................... 9 1 CONFIGUREROUTING..................................................................................................................................... 4 2 CONFIGUREFIREWALLRULES........................................................................................................................... 7 2 SAVECISCOASA5520CONFIGURATION........................................................................................................... 9 2
7.
8. 9.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
2 of 47 ASA5520FVS338
1. Introduction
These Application Notes describe the necessary steps to setup a Site-to-Site IPsec VPN tunnel between a Cisco ASA5520 and a NETGEAR FVS338. The Cisco device is representative of a VPN gateway located at a Corporate Data Center while the NETGEAR was represents the Home Office user. The VPN tunnel is expected to be able to support multi-modal communication between an Avaya A175 Desktop Video Device on one end of the tunnel and various Avaya endpoints and services at the other end of the tunnel. These endpoints include additional A175DVDs, Avaya one-X Communicator (SIP & H.323 versions) and the Avaya one-X Deskphone SIP for 9600 Series IP Telephones. Services being supplied at the corporate location included Call Processing, SIP routing, Conferencing, Voice Messaging, and Presence. These Application Notes are written from the perspective that many of the basic installation steps for an Avaya Aura Solution have already been completed. It is intended to specifically illustrate the addition of an IPsec VPN tunnel to an existing solution. If attempting to install all the components in the solution it is strongly recommended to download and review each of the documents listed in Section 12.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
3 of 47 ASA5520FVS338
Figure 1
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
4 of 47 ASA5520FVS338
Hardware Component
A175 Desktop Video Device
Software Version
1.0.0.002775 Avaya Aura Session Manager 6.0 SP1 Avaya Aura System Manager 6.0 SP2 Avaya Aura Presence Services 6.0 SP2 Avaya Aura Conferencing 6.0 Avaya Aura Communication Mgr 6.0 SP2 (2372) Evolution Server 2.6 SP4 6.0.1 SP1 (SIP) 6.0.1 SP1 (H.323) Communicate STX 8.2(3) 6.3(1) 3.0.6-25
Avaya
S8880 Server
Avaya Avaya
S8300D Server
Avaya one-X 9630 IP Telephone (SIP) Avaya one-X Communicator on Windows Avaya XP Avaya one-X Communicator on Windows Avaya XP Logitech USB Camera Cisco Adaptive Security Appliance (ASA) 5520 Cisco Adaptive Security Device Mgr (ASDM) NETGEAR FVS338 ProSafe VPN Firewall Router
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
5 of 47 ASA5520FVS338
3. Observed Limitations
1. Because of the limited DHCP option settings on the NETGEAR FVS338, it is not possible to set the HTTP server value on the A175DVD via DHCP SSON 242. Therefore it is necessary to set this parameter manually. See Section 12 Reference [5] for more information on this topic. 2. Using Communication Managers Call Access Control feature to limit video bandwidth utilization proved to be somewhat unpredictable. Avaya Aura Session Manager 6.1 provides better tools for managing video and audio bandwidth utilization across multiple locations than what is offered in release 6.0.
The main menu of the System Manager Graphical User Interface is displayed in the following screenshot.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
6 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
7 of 47 ASA5520FVS338
Under the Identity section for the SIP User in the following screenshot the Login Name was set to 6601000@avaya.com. The Authentication Type was set to Basic. The SMGR Login Password was set to the login and password of the Session Manager. The Shared Communication Profile Password was set to 123456 (not shown) which is what will be used to login the A175 DVD to Session Manager.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
8 of 47 ASA5520FVS338
Expand the Communication Profile heading and set the Name to Primary. Enable the Default setting. Under Communication Address select the New button and add two addresses: 1) For the first address Type was set to Avaya Sip and a Fully Qualified Address that is the same as the extension. Select the 2) A second address of type Avaya E.164 was added in support of Presence Services Buddy Lists. The handle +13036601000 is in E.164 format and the domain is avaya.com. See Section 12 Reference [7] for more info.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
9 of 47 ASA5520FVS338
Next, expand the Session Manager Profile heading and select the checkbox. The Primary Session Manager was set to SM1 as shown below. This equates to the Session Manager SIP entity. A secondary Session Manager could also be set to support failover. The Origination and Termination Application Sequence was set to an existing Sequenced Application called S8300-CM6ES-Video-Seq-App. This is the Communication Manager Application Sequence name. From the drop-down set the Home Location to the one created in Section 4.2.
In order for the Station Profile template information to be pushed from the Session Manager down to the Communication Manager, enable the Endpoint Profile box. The System was set to the already administered Communication Manager instance called S8300-CM6_ES_Vid. This is the Managed Entity Name. The Extension was set to 6601000 and the Template was set to DEFAULT_9640SIP_CM_6_0. The Port is initially set to IP (though as shown below this screen will later show the actual IP port being used by Communication Manager).
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
10 of 47 ASA5520FVS338
Select the Endpoint Editor button (shown above) and a new screen will appear. Scroll down to the section titled Feature Options and ensure that IP Softphone and IP Video Softphone are checked.
Scroll down to the section titled Button Assignment and expand it by selecting the icon (it may take a few seconds for the button fields to appear). By default there will already be three buttons labeled as call-appr. From the drop-down, assign this same value to buttons 4 & 5 as shown below.
Select the Done button (not shown) to return to the SIP User page. Then select the Commit button (not shown) to complete administration of the SIP User.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
11 of 47 ASA5520FVS338
Far-end Node Name: ASM1 Far-end Listen Port: 5061 Far-end Network Region: 1
Far-end Domain: avaya.com Incoming Dialog Loopbacks: eliminate DTMF over IP: rtp-payload Session Establishment Timer(min): 3 Enable Layer 3 Test? n H.323 Station Outgoing Direct Media? n Bypass If IP Threshold Exceeded? RFC 3389 Comfort Noise? Direct IP-IP Audio Connections? IP Audio Hairpinning? Initial IP-IP Direct Media? Alternate Route Timer(sec): n n y n n 6
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
12 of 47 ASA5520FVS338
Page
1 of
63
On Page 4 ensure that ip-network-region 1 is connected to ip-network-region 2 and region 3 and that ip-codec-set 2 is used for calls between the regions. In addition notice below that WAN bandwidth limits are set for calls to each of these regions. In a production environment there is often a limited amount of bandwidth available on an Internet VPN connection. Without setting a limit here an A175DVD-to-A175DVD video call can use as much 4Mbits of bandwidth. As
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
13 of 47 ASA5520FVS338
shown below calls from region 1 to region 2 or region 3 cannot use more than 1024 Kbits of bandwidth with normal video limited to 256 Kbits and priority video limited to 512 Kbits.
change ip-network-region 1 Source Region: 1 Page 4 of I G A R n n 20 M t c e t t
dst codec direct WAN-BW-limits Video Intervening rgn set WAN Units Total Norm Prio Shr Regions 1 1 2 2 y Kbits 1024 256 512 y 3 2 y Kbits 1024 256 512 y
A G L all
On Page 4 connect ip-network-region 2 to region 3 as shown below. Use the same bandwidth settings as shown in Section 5.3.1.
change ip-network-region 2 Source Region: 2 Inter Network Region Connection Management Dyn CAC Page I G A R n n 4 of 20 M t c e t t
dst codec direct WAN-BW-limits Video Intervening rgn set WAN Units Total Norm Prio Shr Regions 1 2 y Kbits 1024 256 512 y 2 1 3 2 y Kbits 1024 256 512 y
A G L all
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
14 of 47 ASA5520FVS338
On Page 2 set Allow Direct-IP Multimedia to y. For the sample configuration a Maximum Call Rate of 15360 Kbits (the maximum value) was set. While these fields can be used to limit the amount of bandwidth consumed for a call that stays within a given ip-network-region, sections 6.3.1 and 6.3.2 inter-region bandwidth settings were configured therfore it is not necessary to do that here. For ip-codec-set 1 this value was also set to 15360 Kbits (not shown).
change ip-codec-set 2 IP Codec Set Allow Direct-IP Multimedia? y Maximum Call Rate for Direct-IP Multimedia: 15360:Kbits Maximum Call Rate for Priority Direct-IP Multimedia: 15360:Kbits Mode relay off US n Redundancy 0 0 3 0 Page 2 of 2
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
15 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
16 of 47 ASA5520FVS338
Click the OK button when complete 2) Repeat step 1 for the inside interface, GigabitEthernet 0/3. Interface Name: Inside Security Level: 100 Enable interface Select the checkbox Use Static Select this radio button IP Address: 10.80.100.9 Subnet Mask: 255.255.255.0
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
17 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
18 of 47 ASA5520FVS338
3) Once the interfaces have been configured select the two check boxes at the bottom of the screen as shown below and click the Apply button.
2) In the next screen that appears select the Site-to-Site radio button and appropriate interface from the drop-down list next to VPN Tunnel Interface. For the sample configuration this is the Outside interface defined in Section 6.1.
NHK; Reviewed: SPOC 2/8/2011 Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved. 19 of 47 ASA5520FVS338
Note: For the sake of simplicity, the checkbox next to Enable Inbound IPsec sessions to bypass. was checked though for security reasons, a more advanced administrator may prefer to uncheck this box and set their Access Control Lists (ACLs) explicitly.
Select the Next > button. 3) In the Peer IP Address field, enter the WAN interface for the NETFEAR FVS338 which will be defined in Section 7. In the Pre-Shared key filed enter in a password which will be used to establish the tunnel. Make a note of this password as it will also be required in Section 7.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
20 of 47 ASA5520FVS338
Select the Next > button 4) Set the IKE policy. In the sample configuration the default values were used.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
21 of 47 ASA5520FVS338
5) Set the IPsec Rule. In the sample configuration only the Diffie-Hellman Group value was changed from its default of 1 to 2 which matches the default value used on the NETGEAR FVS338.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
22 of 47 ASA5520FVS338
6) Configure Hosts and Networks. For Local Networks use network address associated with the inside interface of the ASA5520. For the sample configuration 10.80.0.0/16 was used. For the Remote Networks use the WAN interface 11.1.1.10 and inside network 192.168.0.0/24 of the NETGEAR FVS338 defined in Section 7.
Select the Next > button 7) Cisco ASDM displays a summary of the configuration. Select the Finish button (not shown) to complete the VPN configuration.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
23 of 47 ASA5520FVS338
2) Enter the following values for traffic destined for the VPN tunnel: Interface: Outside IP Address: 192.168.0.0 Mask: 255.255.255.0 Gateway IP: 11.1.1.10 Metric: 1 (which is the default value)
3) Select the Add button and enter the following values for all other traffic destined for the Corporate LAN/WAN. This is the Default Route. Interface: Inside IP Address: 0.0.0.0 Mask: 0.0.0.0 Gateway IP: 10.80.100.1 Metric: 1 (which is the default value)
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
25 of 47 ASA5520FVS338
4) Once all Static Routes have been added select the Apply button at the bottom of the screen.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
26 of 47 ASA5520FVS338
For the sample configuration two rules, an incoming rule and an outgoing rule were added for the Inside and Outside interfaces defined in Section 6.1. To add these rules, in ASDM navigate to Configuration FirewallAccess Rules. A screen similar to that shown above will appear. 1) Begin by selecting one of the existing Implicit Rules for either the Inside or Outside interfaces (do not select the IPv6 rules) so that it is highlighted in blue. Then from the top of the screen select the button followed by Add Access Rule from the dropdown. In the window that appears expand the More Options drop-down field and fill in the following information: Interface will already be selected but indicates which interface the rule will be applied to. Action: Select Permit Source: any Destination any Service Enter ip, icmp
NHK; Reviewed: SPOC 2/8/2011 Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved. 27 of 47 ASA5520FVS338
Optional field to record additional information Check this box to log traffic that is allowed by this rule. Leave this at Default unless troubleshooting. Check the box to ensure the rule is active. Default is In.
Click the OK button when complete 2) As shown above, an Incoming rule to allow IP and ICMP on the Inside interface was created. Next create an identical rule only select Out for Traffic Direction. 3) Repeat steps 1 & 2 for the Outside interface. 4) Once all four rules have been created select the Apply button to submit the new rules to the ASA5520.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
28 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
29 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
30 of 47 ASA5520FVS338
2. Configure the IP address of the WAN interface. Select Network Configuration WAN Settings Broadband ISP Settings from the top menu bar. Scroll down to the section titled Internet (IP) Address and assign IP address 11.1.1.10 with an IP Subnet Mask of 255.255.255.0 and Gateway IP address of 11.1.1.11 for the WAN interface of the NETGEAR FVS338.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
31 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
32 of 47 ASA5520FVS338
Begin the VPN tunnel configuration by selecting VPN VPN Wizard. In the screen that appears next the following values were used to create the sample configuration VPN tunnel: This VPN Tunnel will connect to the following peers: Gateway What is the new connection name? Cisco4 What is the pre-shared key? interop123 This VPN tunnel will use the following local WAN interface: Broadband What is the Remote WANs IP Address or Internet Name? 11.1.1.11 (the Outside interface on the ASA5520) What is the Local WANs IP Address or Internet Name? 11.1.1.10 (the Internet address of the FVS338) What is the remote LAN IP Address? 10.80.0.0 (the Inside network on the ASA5520) What is the remote LAN Subnet Mask? 255.255.0.0
3) Scroll down and select the Edit link in row titled Connection Manager.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
34 of 47 ASA5520FVS338
4) In the screen that appears next verify that in the upper right corner the Configuration view is set to advanced (not shown). Then scroll down to the section titled Connection Manager Configuration. Select the Details link in the existing Command Processor as highlighted below.
5) In the screen that appears next select the Details link for each of the XMPP Directors as shown below.
6) For each XMPP Director shown above select the checkbox next to Keepalive Interval and enter in a value for Number of seconds after which a keep-alive is sent from the director to the client. A value of 120 is sufficient to keep the connection to port 5222 active even when there are no Instant Messages being sent or received by the A175DVD.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
35 of 47 ASA5520FVS338
7) Be sure to set the keep-alive for each XMPP Director listed in Step 5 above. After setting this value, scroll down to the bottom of the screen and hit the Select button (not shown). Then select the Submit button on each screen until returning to main XCP Controller page. 8) Once at the main XCP Controller page select the Apply link for the Connection Manager followed by the Stop link as shown below.
9) Wait for the Connection Manager status to change to Stopped and select the Start link. The service should once again show a status of Running (not shown). Hit F5 to refresh the browser if the service does appear as Running after a few seconds.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
36 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
37 of 47 ASA5520FVS338
2) From the FVS338 web admin page navigate to VPNConnection Status. As shown below the VPN Connection Status show the IPsec tunnel is established.
3) From the FVS338 web admin page navigate to MonitoringDiagnostics and enter in an IP address to PING. If the tunnel is functional this should succeed for an IP address on Corporate LAN/WAN side of the tunnel (note that Ping through VPN tunnel is checked).
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
38 of 47 ASA5520FVS338
2) Another useful tool available in ASDM is the Real-time Log Viewer. To access this tool, in ASDM navigate to MonitoringLoggingReal-Time Log Viewer. In the screen that appears select Debugging from the drop-down next to Logging Level: then select the View button (not shown). As shown below the Real-Time Log viewer in debug mode displays information about all IP conversations happening in the ASA5520. The screenshot below shows the some of the packets being exchanged in order to establish the IPsec VPN tunnel. By selecting a row in the log viewer additional information about the log entry is displayed in the lowerhalf of the split window.
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
39 of 47 ASA5520FVS338
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
40 of 47 ASA5520FVS338
10. Validation
The following validation steps were tested using the sample configuration. The following steps can be used to verify installation in the field. 1. Verify on both the FVS338 and ASA5520 that the VPN tunnel has been successfully established. 2. Verify that the Avaya A175 Desktop Video Device extension 6601000 located at the Home-Office will bootup, receive an IP address from the FVS338 and is able to register to Session Manager across the VPN tunnel (with manual configuration of the HTTP server). 3. Verify an audio call can be made with clear audio between the A175DVD located at each end of the VPN tunnel. Verify the call is active on the SIP Trunk within Communication Manager. 4. Verify a video call can be made with clear audio & video between s A175DVD stations located at each end of the VPN tunnel. Verified the call was seen to be active on the SIP Trunk within Communication Manager. 5. Verify bandwidth limits as set on the ip-network-region form are honored for voice and video calls. 6. Verify audio and video between the A175DVD at the home-office location and one-X Communicator at the Corporate LAN/WAN location. 7. Verify supplementary features such as Call Hold, Call Forward, Conference and Transfer could be completed between the Avaya Desktop Video Devices. Verify Presence status updates for Contacts in the Buddy List when those contacts Presence status changes (offhook, manually made unavailable, etc.) 8. Verify instant messages can be sent back-and-forth between two A175DVDs and between an A175DVD and one-X Communicator across the VPN tunnel. 9. Verify conferencing reservations created on the Avaya Aura Conferencing server the first time a new A175DVD logged in from the Home-Office 10. Verify ad-hoc audio and video conferences can be created between the A175DVD at the home-office and endpoints located at Corporate LAN/WAN.
11. Conclusion
These Application Notes have described the basic administration steps required to create a Siteto-Site IPsec VPN tunnel between a Cisco ASA5520 and a NETGEAR FVS338 in support of an Avaya A175 Desktop Video Device located at a remote location at the far-end of the VPN tunnel. While the sample configuration uses a very basic setup, it should provide the basis for configuring a similar setup in a production environment.
[2] Installing Avaya Aura Session Manager, January 2010. DocID 03-603473 [3] Administering Avaya Aura Communication Manager Server Options, June 2010. DocID 03-603479 [4] Administering Avaya Aura System Manager. June 2010. [5] Application Notes for Configuring Avaya Desktop Video Device to connect to Avaya Aura Session Manager with Avaya Aura Communication Manager as an Evolution Server Issue Issue 1.0 [6] Application Notes for configuring Avaya Desktop Video Device to connect to Avaya Aura Session Manager with Avaya Aura Communication Manager as a Feature Server Issue Issue 1.0 [7] Administering Avaya Aura Presence Services 6.0. Issue 1, August 2010. [8] Troubleshooting Avaya Aura Presence Services 6.0. August 2010. [9] Implementing Avaya Aura Conferencing. Issue 1, DocID 04-603508.
Cisco Documentation Additional Cisco product documentation is available at http://www.cisco.com. [10] Cisco ASA 5500 Series Getting Started Guide. Software Version 8.0. DOC-78-1800201. [11] Cisco ASA 5500 Series Configuration Guide using ASDM. Software Version 6.3. (online only) [12] Release Notes for Cisco ASDM 6.2(x). http://www.cisco.com/en/US/docs/security/asa/asa83/asdm63/release/notes/asdmrn63.html NETGEAR Documentation Additional NETGEAR product documentation is available at http://www. netgear.com. [13] ProSafe VPN Firewall 50 FVS338 Reference Manual.v1.0. Doc 202-10046-09
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
42 of 47 ASA5520FVS338
network-object 192.168.0.0 255.255.255.0 object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp object-group network DM_INLINE_NETWORK_2 network-object host 12.1.1.10 network-object 192.168.10.0 255.255.255.0 object-group protocol DM_INLINE_PROTOCOL_3 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_4 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_5 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_6 protocol-object ip protocol-object icmp access-list Outside_access_in extended permit object-group DM_INLINE_PROTOCOL_6 any any access-list Outside_access_out extended permit object-group DM_INLINE_PROTOCOL_1 any any access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_5 any any access-list Inside_access_out extended permit object-group DM_INLINE_PROTOCOL_2 any any access-list Outside_1_cryptomap extended permit ip 10.80.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_1 access-list Inside_nat0_outbound extended permit ip 10.80.0.0 255.255.0.0 host 11.1.1.10 access-list Inside_nat0_outbound extended permit ip 10.80.0.0 255.255.0.0 object-group DM_INLINE_NETWORK_2 access-list Outside2_access_out extended permit object-group DM_INLINE_PROTOCOL_4 any any access-list Outside2_access_in extended permit object-group DM_INLINE_PROTOCOL_3 any any inactive pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu Inside 1500 mtu management 1500 mtu Outside2 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-631.bin no asdm history enable arp timeout 14400 nat (Inside) 0 access-list Inside_nat0_outbound nat (management) 0 0.0.0.0 0.0.0.0 access-group Outside_access_in in interface Outside access-group Outside_access_out out interface Outside NHK; Reviewed: SPOC 2/8/2011 Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved. 44 of 47 ASA5520FVS338
access-group Inside_access_in in interface Inside access-group Inside_access_out out interface Inside access-group Outside2_access_in in interface Outside2 access-group Outside2_access_out out interface Outside2 route Inside 0.0.0.0 0.0.0.0 10.80.100.1 1 route Outside 192.168.0.0 255.255.255.0 11.1.1.10 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 10.80.0.0 255.255.0.0 Inside http 192.45.130.0 255.255.255.0 Inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map Outside_map 1 match address Outside_1_cryptomap crypto map Outside_map 1 set pfs crypto map Outside_map 1 set peer 11.1.1.10 crypto map Outside_map 1 set transform-set ESP-3DES-SHA crypto map Outside_map interface Outside crypto isakmp enable Outside crypto isakmp enable Outside2 crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 telnet 10.80.0.0 255.255.0.0 Inside telnet 192.45.130.0 255.255.255.0 Inside telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp server 10.80.111.30 source Inside prefer ntp server 10.80.60.2 source Inside webvpn tunnel-group 11.1.1.10 type ipsec-l2l tunnel-group 11.1.1.10 ipsec-attributes pre-shared-key ***** ! class-map inspection_default match default-inspection-traffic ! NHK; Reviewed: SPOC 2/8/2011 Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved. 45 of 47 ASA5520FVS338
! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:daccfab0bf83f1069f7546b13ae47662 : end asdm image disk0:/asdm-631.bin no asdm history enable
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
46 of 47 ASA5520FVS338
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com
Solution & Interoperability Test Lab Application Notes 2011 Avaya Inc. All Rights Reserved.
47 of 47 ASA5520FVS338