topic Re: Ask the Expert - Firewall Security and Troubleshooting VPN f in Network Security

Ask the Expert - Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA)

ciscomoderator — Tue, 12 Mar 2019 00:53:50 GMT

Learn and ask questions regarding Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA) . This event will be a continuation of the live Facebook Forum.

Bhavik Joshi is a Network Consulting Engineer with Service Provider Delivery team in Bangalore and has more than 3 years of experience working with security solutions implementation and troubleshooting network issues.

He has been actively working on multi-vendor security device and migration of multi-vendor security devices with cisco security solution. He also holds a CCIE Security certification #26263.

Where:

Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity

When:

8:00 AM PST (San Francisco; UTC -7 hrs)

This corresponds to:

5:00 PM CET(Paris; UTC +1 hr)

9:00 PM PKT (Pakistan, UTC +5 hrs)

9:30 PM IST (India; UTC +5:30 hrs)

11:00 PM (Indonesia; UTC +7 hrs)

What is Facebook Forum?

Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

Anup Sasikumar — Tue, 29 Jan 2013 18:50:22 GMT

Hi Bhavik ,

I'm happy that this topic came up in Ask The Expert section.Most of my work involves setting up Site to Site VPN tunnels to securely access client locations. We have a Cisco ASA 5505 in place. Is it possible that I can restrict communication from client end to our location through the tunnel , ie , restrict access for client location machines from accessing our network? Can I use access lists for the same ? What access lists should I be configuring ?

Regards,

Anup

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

JOHN MURPHY — Wed, 30 Jan 2013 12:23:03 GMT

Hello Bhavik ,

I'm interested in learning how to troubleshoot Site-To-Site VPN's, IPSec and Web VPN. What material would you recommend to assist in this adventure.

Thanks

John

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

kthned — Wed, 30 Jan 2013 13:38:26 GMT

Hi Bhavik,

I have to configure two cisco ASA 5520 in a redundant mode with IPv4 & IPv6 support for our VPN clients (runs Cisco ANy connect). My questions are

Is IPv6 support available in the above setup ? if yes please share document.
Can it be possible to run both ASAs in Active-Active state. In case the one goes down, shall the associated vpn clients needs reconnection ?
Can you share helpful document for confguring ASA in redundant mode.

Thanks !

Regards,

Umair

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

deansakai1 — Thu, 31 Jan 2013 08:46:27 GMT

Hi Bhavik,

My ASA5505 does not work properly when I click AJAX button; it should reload the new pages when I changed the contents. But not responding and nothing happen.　I checked through the Cisco support community, I found some questions and answers related this problem, but not quietly solvedas the following links;

ASA5505 Clientless SSL and Ajax issue
https://supportforums.cisco.com/message/3187376#3187376
CISCO ASA 5505 SSL VPN not able to display web pages properly with
Javascript
https://supportforums.cisco.com/message/3143207#3143207
WebVPN - SSL Portal - URL Rewrite
https://supportforums.cisco.com/message/3609935#3609935

CSCub09280 ASA Content rewrite HTML content was treated as ajax response

CSCtk95435 ASA rewriter: radcontrols based AJAX/ASP website not working properly

My question is: if I update the ASA-5505's ASA OS and the ASDM,
that would fix the problem?

Please help me!!

Here is the current ASA OS and ASDM version and I will try to the update version.

Cisco ASA-5505
ASA OS
current:8.4(2)
⇒to：9.1(1)

ASDM
current:6.4(5）
⇒to：7.1(1)

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

elmayir777 — Thu, 31 Jan 2013 13:14:53 GMT

Thx for such kind of easy support community!

We support VERY CRITICAL business process and we need to replace ASA5510 8.0 to ASA5540 9.1 version

we have very large config file need minimum downtime.

What is ur reccomendation ?

apply old config to new ASA with same IOS (8.0) , then upgade it to new one (9.1)

or backup from ASA5510 (8.0) with ASDM and restore it at 5540 (9.1) ??

thx beforehand

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

gaboughanem — Thu, 31 Jan 2013 21:31:29 GMT

Hello Bhavik,

I am trying to find the answer if the ASA can perform load balancing per-packet or per-destination.

In a situation where I have an ASA ver8.4.4.1 and load balance two routers (two default routes).

Thanks

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

ALIAOF_ — Fri, 01 Feb 2013 19:07:05 GMT

You can actually do that very easily using the ACL for the the site to site VPN. You can even get it down to the port level.

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

ALIAOF_ — Fri, 01 Feb 2013 19:08:08 GMT

This is a pretty cool site for troubleshooting VPN's

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

Anup Sasikumar — Sat, 02 Feb 2013 05:05:09 GMT

Hi Mohamad,

That's a very useful one ! Thanks for sharing !

Regards,
Anup

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

Anup Sasikumar — Sat, 02 Feb 2013 05:41:18 GMT

Hi Mohammad,

Great ! I should be reconfiguring the access lists which defines the " interesting" traffic through the tunnel , right?

But I am just wondering , Let's say if I have the following setup

LAN1 (192.168.1.X)->(192.168.1.1- Inside) MainASA (Outside -1.1.1.1) ----- Internet -------(Outside -2.2.2.2) BranchASA ( Inside - 192.168.2.1) ->LAN 2(192.168.2.X)

When I configure access lists for intresting traffic in Crypto map configuration , Is it necessary that I should be allowing traffic between ASA Inside IP address to establish a tunnel or since we are already specifying the Remote Peer details with the public IP of the ASA on the other end , allowing traffic to ASA Inside IP address is not required?

If I need to meet the follwing conidtions

1. All nodes in the main location should be able to access all nodes in Branch location

2. Branch location nodes should only be able access node 192.168.1.100 in Main location

Would the access list for interesting traffic to be defined in Cryptomap configuratios be

Main location

access-list MAIN2BRANCH extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Branch location

access-list BRANCH2MAIN extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.100

Would that also prevent the return traffic (lets say , ping reply ) from 192.168.2.X network when trying to access any node on Branch from Main location , which is not desired ?

Please help !

Regards,
Anup

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 13:54:44 GMT

Hi Anup,

You can use the ACL with restricted source and destination IP. This ACL you have to use with you match address statement with the used crypto map

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 14:03:39 GMT

Hi John,

There are too many technotes and debugging documents available on cisco websites, also refer books like Cisco VPN Troubleshooting & CCNP Security VPN official Cert Guide

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 14:09:40 GMT

Hi Syed,

Please refer the cisco document given below on the link. hope it help you to clear you doubts.

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/ha_active_active.pdf

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 14:17:07 GMT

Hi Sakai,

You have to upgrade on 9.1(1) or 8.4(5) as this is a bug and fixed in this ios.

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 14:21:30 GMT

Hi Elmayir,

You should go through the release nots of 9.1, it will help you to and let you know the precautions that should be taken while upgrading from 8.0 to 9.1

Please go through the below link once.

http://www.cisco.com/en/US/docs/security/asa/asa91/release/notes/asarn91.html#wp678072

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

bhavjosh — Mon, 04 Feb 2013 14:25:23 GMT

Hi,

You can do the load balancing by configuring cluster.

Refer

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_params.html#wp1048834

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

ALIAOF_ — Mon, 04 Feb 2013 20:20:46 GMT

Well what you can do is try the VPN filter option, check out this link.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

krishnanand.yadav — Tue, 05 Feb 2013 04:34:11 GMT

Hi Bhavik,

Could you please explain in what scenario we will use MSS (Maximum Segment Size) configuration and its importance in troubleshooting VPN related issue?

Also if you can please explain NAT traversal configuration ? Where do i need to configure NAT traversal? It should be on NAT device next to Firewall or on Firewall itself. What does this NAT configuration actually do?

Thanks,

Krishnanand Yadav

Ask the Expert: Firewall Security and Troubleshooting VPN for Ad

deansakai1 — Wed, 06 Feb 2013 04:02:59 GMT

Hello Bhavik,

I really appreciated your support, because before you gave me the advice,

I haven't had the confidence to be able to fix this problerm.

Now, I'll try to upgrade the ios. Thanks again.