Re: ASA 8.4.1 USEFUL help within IOS!!

fsebera · ‎05-26-2011

I just upgraded my new ASA5500 firewall IOS to 8.4.1, looking through the Cisco ASA CLI, Cisco has finally provided some USEFUL help without making you jump through so many hoops - FINALLY!!!!!

:

I am very familiar and already have much experience with design, setup, support, troubleshoot and etc. VPN's on Cisco products but found this very interesting and could be very useful for those not so up to speed!!!!!!!

Hope you enjoy.

Frank

:

ciscoasa(config)# vpnsetup ?

:

configure mode commands/options:
ipsec-remote-access Display IPSec Remote Access Configuration Commands
l2tp-remote-access   Display L2TP/IPSec Configuration Commands
site-to-site         Display IPSec Site-to-Site Configuration Commands
ssl-remote-access    Display SSL Remote Access Configuration Commands

:

As an example

:

ciscoasa(config)# vpnsetup site-to-site steps

:

Steps to configure a site-to-site IKE/IPSec connection with examples:

:

1. Configure Interfaces

:

        interface GigabitEthernet0/0
         ip address 10.10.4.200 255.255.255.0
         nameif outside
         no shutdown

:

        interface GigabitEthernet0/1
         ip address 192.168.0.20 255.255.255.0
         nameif inside
         no shutdown

:

2. Configure ISAKMP policy

:

        crypto isakmp policy 10
         authentication pre-share
         encryption aes
         hash sha

:

3. Configure transform-set

:

crypto ipsec transform-set myset esp-aes esp-sha-hmac
:
4. Configure ACL

:

access-list L2LAccessList extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0

:

5. Configure Tunnel group

:

        tunnel-group 10.20.20.1 type ipsec-l2l
        tunnel-group 10.20.20.1 ipsec-attributes
         pre-shared-key P@rtn3rNetw0rk

:

6. Configure crypto map and attach to interface

:

        crypto map mymap 10 match address L2LAccessList
        crypto map mymap 10 set peer 10.10.4.108
        crypto map mymap 10 set transform-set myset
        crypto map mymap 10 set reverse-route
        crypto map mymap interface outside

:

7. Enable isakmp on interface

:

crypto isakmp enable outside

:

Loren Kolnes · ‎05-26-2011

Hi,

That is a very usefull command and I just wanted to note that it has been available since 8.0(3).

Thanks,

Loren

fsebera · ‎05-27-2011

Ha, guess I am a little slow.

Wonder what else I have missed?

??????

Please tell me more!!!!!!!!!!!!!!!!!!!!!!

Tks

Frank

fsebera · ‎05-27-2011

.

Loren Kolnes · ‎05-27-2011

Hi Frank,

Per the command reference it has been available since 8.0(3)

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1538001

I verified running 8.0(3)

SA5510(config)# sh ver | inc Ver

Cisco Adaptive Security Appliance Software Version 8.0(3)

Device Manager Version 6.2(3)

ASA5510(config)# vpnsetup ?

configure mode commands/options:

ipsec-remote-access Display IPSec Remote Access Configuration Commands

site-to-site Display IPSec Site-to-Site Configuration Commands

Not sure why you do not see it in the interim release.

Thanks,

Loren

fsebera · ‎05-27-2011

Hi Loren,

I do see it, I was thanking your for pointing out my oversight!!!!!

THANK YOU!!

Frank

(BTW, I did post a message indicating I didn't see it and seconds later I deleted that message, guess the cacheing server is holding old details).

Never-the-less, I do see it and thanks again!!