Cisco ASA Firewall Archives

Cisco ASA Master PassPhrase

There are several configuration features on Cisco ASA that require some sort of password or secret-key that you need to enter. Some examples include:

  • VPN pre-shared keys (either for site-to-site IPSEC VPN or for Remote Access).
  • AAA server secret key when communicating with a RADIUS server.
  • Routing Protocols keys (for OSPF, EIGRP).
  • Secret key for failover communication.
  • Password to communicate with a Log Server.
  • VPN Load Balancing key
  • Etc

All the above might be hidden when you view the running configuration (by executing “show run”) however they are NOT encrypted inside the configuration file. For example, if you copy the configuration to an external TFTP Server, all the above passwords and secret-keys will be shown as clear text in the configuration file.

Moreover, when you execute the command “more system:running-config” you will also be able to view the running configuration with all passwords as plain text.

If you want to store all the above passwords in encrypted format in the configuration file, you can use the “Master Passphrase” feature. The master passphrase provides a key that is used to universally encrypt or mask all passwords, without changing their functionality. This feature is available from version 8.3(1) and above.


1) Create the Master Passphrase. This must be between 8-128 characters. Do not use backspace or double quote.

ASA(config)# key config-key password-encryption
New key: verystrongkey
Confirm key: verystrongkey

The above creates the Master Passphrase. Next we need to enable AES password encryption for all passwords:

2) Enable Password Encryption and save the configuration

ASA(config)# password encryption aes
ASA(config)# write mem


  • If you want to remove the master passphrase use “no key config-key password-encryption [current passphrase]”
  • If you have lost the master passphrase, you must erase the configuration and reboot the ASA: “write erase” and then “reload”.

How to Configure OSPF on Cisco ASA Firewall

Cisco Adaptive Security Appliance (ASA) is quite a versatile device integrating application-aware firewall, SSL and IPsec VPN, intrusion prevention system (IPS), antivirus, antispam, antiphishing, and web filtering services. Cisco ASA also supports routing protocols such as Routing Information Protocol (RIP), Enhanced Interior Gateway Routing Protocol (EIGRP), and last but not least, Open Shortest Path First (OSPF). In this tutorial, our focus will be OSPF configuration on Cisco ASA according to the figure below.

Figure 1 OSPF on Cisco ASA

asa ospf configuration

Please note that configuration on R1 is not relevant to this scenario and R1 is just shown for the sake of completeness. We will start by configuring OSPF on routers R2 and R3. We would also configure MD5 authentication for OSPF on Fa0/0 of R2 and R3, using cisco as the authentication key.

Here’s the configuration for R2:

R2#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#interface FastEthernet0/0
R2(config-if)#ip address
R2(config-if)#ip ospf authentication message-digest
R2(config-if)#ip ospf message-digest-key 1 md5 cisco

R2(config)#interface Loopback0
R2(config-if)#ip address

R2(config)#router ospf 1
R2(config-router)#network area 0
R2(config-router)#network area 0

Here goes the configuration for R3:

R3#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#interface FastEthernet0/0
R3(config-if)#ip address
R3(config-if)#ip ospf authentication message-digest
R3(config-if)#ip ospf message-digest-key 1 md5 cisco

R3(config)#interface Loopback0
R3(config-if)#ip address

R3(config)#router ospf 1
R3(config-router)#network area 1
R3(config-router)#network area 1

Let’s now move to the interesting part where we configure Cisco ASA. We will first configure interface IP addresses, at the same time assigning Ethernet0/0, Ethernet0/1, and Ethernet 0/2 to outside, inside, and DMZ (de-militarized zone) zones, respectively. Inside and outside interfaces are assigned default security levels of 100 and 0 automatically. The higher the security level, the more secure an interface is. Therefore, the most secured network is placed behind an interface with a security level of 100, whereas the least secured network is placed behind an interface with a security level of 0. A DMZ interface can be assigned a security level between 0 and 100.

We assign a security level of 50 to the DMZ interface using the security-level command. We also configure MD5 authentication for OSPF on the outside and DMZ interfaces choosing cisco as the authentication key. Toward the end of configuration given below, both outside and DMZ interfaces are assigned to the appropriate OSPF area using network command.

ASA1# configure terminal
ASA1(config)# interface Ethernet0/0
ASA1(config-if)# ip address
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/1
ASA1(config-if)# ip address
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# exit

ASA1(config)# interface Ethernet0/2
ASA1(config-if)# ip address
ASA1(config-if)# nameif DMZ
ASA1(config-if)# security-level 50
ASA1(config-if)# ospf authentication message-digest
ASA1(config-if)# ospf message-digest-key 1 md5 cisco
ASA1(config-if)# exit

ASA1(config)# router ospf 1
ASA1(config-router)# network area 0
ASA1(config-router)# network area 1

Let’s now verify that ASA1 has indeed established OSPF adjacency with R2 and R3 using show ospf neighbor command.

ASA1# show ospf neighbor

Neighbor ID    Pri   State        Dead Time   Address         Interface        1   FULL/DR      0:00:32     outside        1   FULL/BDR     0:00:38     DMZ

The above output indicates that OSPF neighbor relationships have been succesfully established with both R2 and R3. You can use show ospf interface command to find out more details such as OSPF neighbor authentication status.

ASA1# show ospf interface

outside is up, line protocol is up
Internet Address mask, Area 0
Process ID 1, Router ID, Network Type BROADCAST, Cost: 10
Transmit Delay is 1 sec, State BDR, Priority 1
Designated Router (ID), Interface address
Backup Designated router (ID), Interface address
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 0:00:00
Index 1/1, flood queue length 0
Next 0x0(0)/0x0(0)
Last flood scan length is 2, maximum is 2
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor  (Designated Router)
Suppress hello for 0 neighbor(s)
Message digest authentication enabled
Youngest key id is 1


You can also use show ip ospf interface brief and show ip ospf neighbor commands on R2 and/or R3. We are showing the output of these two commands for R2 here.

R2#show ip ospf neighbor

Neighbor ID  Pri  State     Dead Time   Address         Interface  1    FULL/BDR  00:00:30     FastEthernet0/0

R2#show ip ospf interface brief

Interface    PID   Area            IP Address/Mask    Cost  State Nbrs F/C

Lo0          1     0            1     LOOP  0/0
Fa0/0        1     0          1     DR    1/1

We can expect that R2, R3, and ASA1 may also have learned some OSPF routes by now. Let’s verify that by using show ip route command on R2 first.

R2#show ip route

<Some output omitted for brevity>

Gateway of last resort is not set

C is directly connected, FastEthernet0/0 is variably subnetted, 2 subnets, 2 masks
O IA [110/12] via, 02:01:57, FastEthernet0/0
C is directly connected, Loopback0
O IA [110/11] via, 02:02:01, FastEthernet0/0


Please feel free at this point to use show ip route command on R3 as well. We can use show route command on ASA1 to find out which routes it has learned over OSPF.

ASA1# show route

<Some output omitted for brevity>

Gateway of last resort is not set

C is directly connected, outside
O [110/11] via, 2:03:52, DMZ
O [110/11] via, 2:11:30, outside
C is directly connected, DMZ
C is directly connected, inside

Though OSPF routing is looking good at this stage, we may not yet be able to ping from R2 to R3 or vice versa. On Cisco ASA, you do not need to define an ACL to permit traffic from a high security level interface to a low security level interface by default. However, an ACL must explicitly permit traffic from a low security level interface (such as outside with security level 0) to a high security level interface (such as DMZ with security level 50). Here is how we configure an ACL and apply it inbound to the outside interface to allow incoming traffic. Just for example purposes, we will allow icmp traffic from outside to IP in DMZ.

access-list OUTSIDE-IN extended permit icmp any host
access-list OUTSIDE-IN extended permit icmp any any echo-reply
access-group OUTSIDE-IN in interface outside

Let’s try to ping from R2 to Loopback0 on R3 and vice versa, in order to seal the deal.


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/27/40 ms


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/44 ms

Comparison of Cisco ASA Software Versions

With the expansion of Cisco ASA models and the addition of new types of devices, it is inevitable to have also a confusion about which software version is supported for each model. A few years ago we had only the Cisco PIX series which were replaced by the successful Cisco ASA 5500 series firewalls. Now we have also the next generation 5500-X series and also we have ASA running on 6500 as service module and also the ASA 1000V cloud firewall. Each type has its own software version as shown below:


ASA Type/Model

ASA Software Version

Cisco ASA 5500 Series (5505, 5510, 5520, 5540, 5550, 5580) ASA Version 8.4(x)
Cisco Catalyst 6500 Series ASA Services Module ASA Version 8.5(x)
Cisco ASA 5500-X Series (ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X) ASA Version 8.6(x)
ASA 1000V cloud and virtual firewall ASA Version 8.7(x)
All product series ASA 5500, ASA 5500-X and 6500 Service Module ASA Version 9.0(x)


How to block HTTP DDoS Attack with Cisco ASA Firewall

Denial of Service attacks (DoS) are very common these days. Especially Distributed DoS attacks (called also DDoS) can be executed quite easily by attackers who own large networks of BotNets. Thousands of malware-infected computers (which comprise the so called “BotNets”) are controlled by attackers and can be instructed to start attacks at any target.

Usually WebSites are targeted more frequently. Bringing down a website can have a negative effect to the image (in addition to any financial loss) of the company owing the site. A DDoS attack can be purely “volumetric”, which means that the attacker just sends high volume of packets as quickly as possible to flood the bandwidth of the “pipe” connecting the website to the Internet. Also, DDoS attacks can be “Application Resource Exhaustion” which means that the attacking computers create thousands of application requests (e.g HTTP Requests) to a server, thus consuming the application resources.

A Cisco ASA Firewall can not help much in a “volumetric” DDoS attack. In such an attack, a dedicated DDoS device is needed or your ISP must do some kind of rate limiting to mitigate the attack. However, for “Application Exhaustion” attacks a Cisco ASA can help to some extend with HTTP inspection using the Modular Policy Framework mechanism of ASA. This is what we are going to describe in this article.

Usually, HTTP Application DDoS attacks have a pattern or string which helps you distinguish the attacking HTTP requests from other legitimate requests. For example, HTTP attacking packets might have a common parameter or string, which can be for example the same “User-Agent” used by the attacking script, a common POST or GET URI request, some other HTTP header parameters etc. With the ASA HTTP inspection feature you can match on this common pattern in the HTTP packet thus filter-out the attacking packets and drop them.

Recently I was engaged to help mitigate a DDoS attack on a webserver. I observed from the Apache logs that the attacking HTTP requests were all targeting the website on the same URL string, such as  The string “xyz123” was the common pattern for all malicious HTTP requests. Thus with a policy on ASA you can match on the unique string above and drop the packets that have this string in the HTTP URI.

Lets see a diagram and configuration below:

asa ddos http protection

ASA Configuration:

!First create a regular expression with the unique attack string
regex attackstring xyz123

!Create an ACL to match the HTTP traffic towards the target server
access-list HTTPTRAFFIC extended permit tcp any host eq www

!Create a regular L3/L4 class to match the traffic above
class-map attackingtraffic
 match access-list HTTPTRAFFIC

!Now create an HTTP inspection policy to match on the unique attacking string
policy-map type inspect http HTTPDOS
 match request uri regex attackstring
 match request args regex attackstring

!The following policy-map will include the L3/L4 class which will include the HTTP inspection policy
policy-map BLOCKDOS
 class attackingtraffic
  inspect http HTTPDOS

!Now attach the policy-map to the ASA outside interface to inspect Inbound traffic.
service-policy BLOCKDOS interface outside

If you enable logging on the drop-connection command (use “drop-connection log“), then you will start seeing logs that the ASA is dropping packets with the matched attacking HTTP string.

In this first Video Tutorial I will show you how to enable initial access to the ASA device in order to connect with ASDM graphical interface or with SSH. The network topology is shown below:

Cisco ASA ASDM Configuration

First we need to have console access (with a serial console cable) to the device in order to configure some initial settings to allow user access with ASDM or with SSH. We will configure Interface GigabitEthernet 5 as a management interface with IP address Also, on the same subnet we have our management PC with IP address The management PC is running also a TFTP server software (tftp32) which will be used to transfer the ASDM image to the ASA.

Below is the CLI configuration used in this initial setup (see video below also for more information):

ciscoasa# sh run
: Saved
ASA Version 8.4(2)
hostname ciscoasa
! Configure an “enable password” which is the administrator password of the device
enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted
interface GigabitEthernet0
no nameif
no security-level
no ip address
interface GigabitEthernet1
no nameif
no security-level
no ip address
interface GigabitEthernet2
no nameif
no security-level
no ip address
interface GigabitEthernet3
no nameif
no security-level
no ip address
interface GigabitEthernet4
no nameif
no security-level
no ip address
! Configure IP address to Interface GigEth5 and put a high security level (90 is good).
! name also the interface as “management”
interface GigabitEthernet5
nameif management
security-level 90
ip address
ftp mode passive
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1

! Tell the appliance where the asdm image is located.
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL

! SSH access will use the LOCAL username/password for authentication
aaa authentication ssh console LOCAL
! enable the HTTP service on the device so that you can connect to it for ASDM access
http server enable
! Tell the device which IP addresses are allowed to connect for HTTP (ASDM) access and from which interface
http management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
! Tell the device which IP addresses are allowed to connect for SSH access and from which interface.
ssh management
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
! Configure a LOCAL username/password to be used for authentication.
username cisco password 3USUcOPFUiMCO4Jk encrypted
prompt hostname context
no call-home reporting anonymous
profile CiscoTAC-1
no active
destination address http
destination address email
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
: end


To enable SSH access, we need to generate also SSH keys as following:

ciscoasa(config)# crypto key generate rsa modulus 1024
Keypair generation process begin. Please wait…

And here is the video:

How to Install CSC SSM on Cisco ASA 5510

I have found the following informative video which shows how to physically install a Content Security Services (CSC) Module in a Cisco ASA 5510 firewall appliance, and also how to create the initial setup configuration of this module using the graphical ASDM GUI of ASA firewall.

The CSC module provides protection against Viruses, Spam, Spyware and other unwanted traffic that can be found in data flowing in and out of your network, so I think its one of the useful security controls that you can put in place to protect your network and data.

New business requirements, the evolvement of social networking and web 2.0 and new generation technologies are driving new requirements for network and information security. Gartner has recently published their definition for next-generation firewalls, and they have noted that their famous “magic quadrant” reports for enterprise firewalls will now be taking into account the Next Generation Firewall capabilities of each tested device and vendor. The “Next Generation Firewall” concept, according to Gartner, will be a progression of current firewall and IPS devices which must include extra features and capabilities, mainly application and content inspection and protection. Next generation firewalls must be fully application aware (up to Layer7 protection) and not only up to Layer4.

Gartner’s recent Magic Quadrant report for enterprise firewalls, brought a new player into the first position, the Palo Alto Networks. Cisco has stayed behind this new generation security concept and they are now trying to catch up with the announcement of next generation capabilities in the new Cisco ASA CX product line. The new Cisco direction in network security was announced by Chris Young, senior vice president of Security, in RSA Conference 2012.

The new Cisco ASA CX products will be “context aware” and therefore they can provide protection against application threats and also offer inspection and traffic access control towards popular “micro-applications”, such as games in facebook or gambling apps in other popular websites. The new firewalls can also control access towards more than 1000 applications (facebook, twitter, google+, linkedin etc) and more than 75,000 micro applications for more granular context-aware control. So the main idea that we can take from this announcement is that the CX ASA product line will be centered around granular application, user and device control and better visibility in the network traffic. Just keep in mind also that in order to provide this comprehensive end-to-end security posture, the Cisco ASA CX must cooperate with other Cisco security products and solutions, such as Cisco SecureX Framework, Cisco AnyConnect Secure Mobility Client, and Cisco SIO (Security Intelligence Operations) for global threat intelligence data.

There are new Cisco ASA models available now, which will be under the CX framework. Specifically, the following new models were introduced:

  • ASA 5512-X
  • ASA 5515-X
  • ASA 5525-X
  • ASA 5545-X
  • ASA 5555-X

At the moment there is not much documentation and explanations about the new features introduced in those new models, so we can not describe them in more detail. We will come back again after more info is available.

Site to Site VPN between Cisco ASA and Router

In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let’s start our LAB example and we’ll see how it’s done.

Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.

Equipment Used in this LAB:

  • ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3)
  • Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4


LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet.

First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let’s start IPSEC VPN configuration.

Cisco ASA Configuration

First I started ASA configuration.

I’ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is and destination is, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel.

ASA(config)# access-list vpn extended permit ip

! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys.

ASA(config)# crypto isakmp policy 1

! For authentication I used Pre-shared. This method is most frequently used today.
ASA(config)# authentication pre-share

!For encryption I used 3des.
ASA(config)# encryption 3des

! Hashing md5.
ASA(config)# hash md5

! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5.
ASA(config)# group 2

! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed.
ASA(config)# crypto isakmp secretsharedkey address

NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way.
tunnel-group ipsec-attributes
pre-shared-key *

! Activate policy on Outside interface.
ASA(config)# crypto isakmp enable outside

! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase.

! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers.
ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Apply the access list created earlier for matching the interesting traffic.
ASA(config)# crypto map vpn 10 match address vpn

! I indicated address of Remote2 peer public outside interface.
ASA(config)# crypto map vpn 10 set peer

! Apply also the transform-set.
ASA(config)# crypto map vpn 10 set transform-set ts

! Attach the already created Crypto-map and VPN to outside interface.
ASA(config)# crypto map vpn interface outside

ASA configuration is completed here (regarding the VPN config of course). Now let’s start Router Configuration below.

Cisco Router Configuration

ISAKMP Phase 1

! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy.
Router(config)# crypto isakmp policy 10

! Turn on 3des as an encryption type.
Router(config)# encr 3des

! I indicated MD5 as a hashing type.
Router(config)# hash md5

! I indicated pre-share authentication.
Router(config)# authentication pre-share

! I used second group of diffie-hellman. group1 is used by default.
Router(config)# group 2

! I defined peer key same as ASA site.
Router(config)# crypto isakmp secretsharedkey address

It’s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful.

! Access list for matching interesting traffic.
Router(config)# ip access-list extended vpn
Router(config)# permit ip

! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later.
Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac

! Enter into crypto-map configuration mode.
Router(config)# crypto map vpn 10 ipsec-isakmp

! Indicate IP address of peer.
Router(config)# set peer

! Indicate IPsec transform-set created above.
Router(config)# set transform-set ts

! Apply access list created above.
Router(config)# match address vpn

! Apply crypto-map to interface.
Router(config)# interface FastEthernet0/0
Router(config)# crypto map vpn

With this, VPN configuration is completed so let’s start verification.

! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully.

ASA# show crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer:
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

Router# show crypto isakmp sa
dst src state conn-id slot MM_ACTIVE 1 0

! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel.

ASA# show crypto ipsec sa
interface: outside
Crypto map tag: vpn, seq num: 10, local addr:

access-list vpn permit ip
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (

#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

Router# show crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: vpn, local addr

protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344
#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

VPN Tunnel is established and works.

 Page 2 of 10 « 1  2  3  4  5 » ...  Last »