Re: ASA 5506-X Easy VPN

Anthony Biegacki · ‎05-12-2015

Does anyone know if they removed the easy vpn client for the ASA 5506-X. I can make it as a server but not a client or is there a replacement?

deyster94 · ‎05-12-2015

Yes, it has been removed. They are working on a solution, but there isn't any update on when it will happen.

Anthony Biegacki · ‎05-12-2015

Thanks

Nilo Noguera · ‎05-21-2015

Hi Anthony,

Although the ASA5506-X doesn't support the EasyVPN Hardware Client functionality, this same functionality--VPN Network extension with Dynamic VPN--can be implemented on the HeadEnd ASA5500X using a Site-to-Site configuration with a "Dynamic Crypto Map". Although the configuration isn't as simple as an EasyVPN hardware client configuration, the feature/functionality of building a tunnel with a dynamic IP address and providing access to resources at the remote site still exists.

Here are some sample configurations that I was able to find on setting up a Dynamic Crypto Map on a LAN to LAN tunnel (L2L tunnel):

This first url below provides a great example of using Dynamic L2L tunnels and different tunnel groups to differentiate access polices between two different spokes--one of the spokes is a router but the other spoke is an ASA5500.

How to make Dynamic L2L Tunnels Fall into Different Tunnel Groups

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html?mdfid=284143130

This url provides a simple L2L Dynamic Crypto map configuration involving two locations.

Site-to-Site IPSEC VPN between two cisco ASA's - one with Dynamic IP

http://www.networkstraining.com/site-to-site-ipsec-vpn-between-two-cisco-asa/

I appreciate this opportunity to assist you.

Best regards,

"Nilz"

Nilo Noguera

.:|:.:|:. Security Specialist, Cisco Global Virtual Engineering - Cisco Partner Plus

http://www.cisco.com/web/partners/tools/ph.html

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

kjchen · ‎09-11-2015

ASA 9.5.1 added Easy VPN client. Please check the following release note:

Release Notes for the Cisco ASA Series, 9.5(x) - Cisco

"This release supports Cisco Easy VPN on the ASA 5506-X series and for the ASA 5508-X. The ASA acts as a VPN hardware client when connecting to the VPN headend. Any devices (computers, printers, and so on) behind the ASA on the Easy VPN port can communicate over the VPN; they do not have to run VPN clients individually. Note that only one ASA interface can act as the Easy VPN port; to connect multiple devices to that port, you need to place a Layer 2 switch on the port, and then connect your devices to the switch."

Joshua Schroth · ‎09-15-2015

Although they did add EZvpn Client in 9.5.1, I don't suggest buying a 5506 for the purpose of using it as an EZvpn Client right now. I've spent a lot of hours trying to set this up for a customer only to run into CSCuw22886. Split tunneling does not work and it looks like Cisco is not making it a priority to fix the issue...https://tools.cisco.com/bugsearch/bug/CSCuw22886/?reffering_site=dumpcr

Martin Burman · ‎10-09-2015

We're also hitting this bug, annoying as we bought the X-series when we finally saw the statement "Easy VPN added".

A real show stopper for us :-(

Can someone please explain this, are these some kind of interim versions? Can they be downloaded?

"

Known Fixed Releases:

(8)

100.14(0.76)

100.15(0.34)

100.15(16.8)

100.15(17.12)

100.15(3.60)

100.15(8.15)

100.16(0.2)

100.16(1.2)"

mgrzesia · ‎10-22-2015

Dear Martin,

Those builds are internal developers builds, not available for customers.

This specific bug fix should (as in "I should be on time" ) be integrated in 9.5.2, tentatively scheduled for the end of November. If all goes well the bug should be fixed in that version.

You can subscribe yourself to automatic bug notifications, so that you get an e-mail once the fixed version is added.

For that please go to:

https://tools.cisco.com/bugsearch/bug/CSCuw22886

Then please click "Save Bug". There you can specify email address you would like to be notified at and the frequency of the updates.

I hope it helps!

Kind regards,

Mateusz Grzesiak

Martin Burman · ‎12-01-2015

I downloaded and installed 9.5.2 and indeed the split tunneling seems to work but there is one weird problem (I think):

I'm using four "inside" interfaces on the 5506-X and as far as I can read this is kind of supported, the interface with the highest security-level can utilize the tunnel, the others can not. This scenario is fine.

Devices connected to vlan67 works fine tested so far.

A device connected to vlan68 works as long as it doesn't connect to any address in the tunnel list.

This is bad since there are some services at the home end with public addresses where clients at vlan67 act as "data feeders" for the public computers while clients at vlan68 acts as "data consumers" for the public computers.

From what I could understand the clients at vlan67 should (and does) use the tunnel for access while clients at vlan68 would go straight out from the 5506-X, get their source address changed to the 5506-X's outside address and reach the public addresses as normal clients.

The 5506-X says the expected "Built dynamic translation" while connecting to google.com while it says "Built localhost outside:W.X.Y.Z" while trying to connect to the public address from vlan68

The ip range B is in a completely different range from ip range A.

Is this supposed behaviour or is it a bug?

interface GigabitEthernet1/2.67

vlan 67

nameif sixtyseven

security-level 100 <-- easy vpn tunnel works as expected from here, W.X.Y.Z reached by tunnel

ip address A

!

interface GigabitEthernet1/2.68

vlan 68

nameif sixtyeight

security-level 90 <-- clients here reaches addresses NOT in the tunnel list, W.X.Y.Z not reached at all

ip address B

!

interface GigabitEthernet1/2.69

vlan 69

nameif sixtynine

security-level 90

ip address C

!

interface GigabitEthernet1/2.70

vlan 70

nameif sixtyten

security-level 90

ip address D

Martin Burman · ‎12-01-2015

Works:

asa5506# packet-tracer input insamling tcp VLAN68.2 12345 8.8.8.8 80 detail$

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop OUTSIDESUBNET.1 using egress ifc outside

Phase: 2

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_insamling

nat (insamling,outside) dynamic interface

Additional Information:

Dynamic translate VLAN68.2/12345 to OUTSIDESUBNET.150/12345

Forward Flow based lookup yields rule:

in id=0x7f6e158aba20, priority=6, domain=nat, deny=false

hits=1296, user_data=0x7f6e15870dc0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=VLAN68.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=insamling, output_ifc=outside

Phase: 3

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f6e140865c0, priority=0, domain=nat-per-session, deny=false

hits=4343, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f6e14baedb0, priority=0, domain=inspect-ip-options, deny=true

hits=2034, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=insamling, output_ifc=any

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7f6e140865c0, priority=0, domain=nat-per-session, deny=false

hits=4345, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7f6e14ad7ba0, priority=0, domain=inspect-ip-options, deny=true

hits=4958, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 7

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 5910, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

output-interface: outside

output-status: up

output-line-status: up

Action: allow

-------------------------------------------------------------------------------------------------------------------------------------

Doesn't work:

asa5506# packet-tracer input insamling tcp vlan68.2 12345 ATHOME.5 80 det

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f6e14ba68f0, priority=1, domain=permit, deny=false

hits=7148, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=insamling, output_ifc=any

Phase: 2

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop OUTSIDESUBNET.1 using egress ifc outside

Phase: 3

Type: NAT

Subtype:

Result: ALLOW

Config:

object network obj_insamling

nat (insamling,outside) dynamic interface

Additional Information:

Dynamic translate vlan68.2/12345 to OUTSIDESUBNET.150/12345

Forward Flow based lookup yields rule:

in id=0x7f6e158aba20, priority=6, domain=nat, deny=false

hits=1290, user_data=0x7f6e15870dc0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=vlan68.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=insamling, output_ifc=outside

Phase: 4

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f6e140865c0, priority=0, domain=nat-per-session, deny=false

hits=4340, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7f6e14baedb0, priority=0, domain=inspect-ip-options, deny=true

hits=2028, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=insamling, output_ifc=any

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7f6e14c7b3e0, priority=70, domain=ipsec-tunnel-flow, deny=false

hits=171, user_data=0x18a9c, cs_id=0x7f6e14c9b750, reverse, flags=0x0, protocol=0

src ip/id=ATHOME.5, mask=255.255.255.255, port=0, tag=any

dst ip/id=OUTSIDESUBNET.150, mask=255.255.255.255, port=0, tag=any, dscp=0x0

input_ifc=outside, output_ifc=any

Result:

input-interface: insamling

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule