About Ben F

Ben F · 08-14-2018

I have seen several posts regarding this topic, but nothing seems to be fully inclusive. This post is also not fully inclusive, but hopefully the discussion will help iron out some details. As of version 9.8.1 (I think) the ASA has support for IKEv2 ...

Ben F · 01-23-2018

Scenario: A customer has an existing LAN 192.168.100.0/24 with a gateway of .1 on the ASA. They have a new phone system that uses 172.16.2.0/24. The phone system has its own switch for the phones as well as a router. External phone traffic has to tra...

Ben F · 08-28-2017

Hello. Recently we installed a brand new ASA 5506 for a client. After the installation we were able to SSH into the device via the outside interface and the outside interface responded to pings. Now, the ASA will not respond and we cannot SSH to it. ...

Ben F · 08-10-2017

Studying for CCNP 300-115 and during my review I was exploring the options for dynamic arp inspection. I'm curious about the difference between "Sender MAC address" and "Single Sender host"....I can only spend so much time on Google so this seems to ...

Ben F · 06-29-2017

I'm still fairly new to the ASA world. I'm trying to wrap my head around how the ASA handles routing. Specifically I'm looking at routing when there is also a site-to-site VPN. In the VPN configuration process we define "interesting traffic" and the ...

Ben F · 10-24-2018

Just ran into this issue, but luckily I had been curious about VTI for just this scenario. Here is my template. I think it should contain all the command you need. !IKEV2 USING VTI CONFIGURATIONsysopt connection tcpmss 1350sysopt connection preserv...

Ben F · 10-24-2018

You can consider using route-based VPN. You will need 4 VTI interfaces to support the 4 possible combinations of source/destination. (Primary->Primary, Primary->Secondary, Secondary->Primary, Secondary->Secondary). I believe this template contains mo...

Ben F · 10-04-2018

I was going to post something just like this as I was building what I believe would be the necessary configuration. Each site would have 2 public IPs and would try to use primary-primary, backup-primary, primary-backup, backup-backup in that order. I...

Ben F · 09-18-2018

I was having the same error message when attempting to connect to one of our customer's VPNs. Tested from another computer and had the same error. Tested to a different customer VPN and did not get the message. Google gave a few ideas, but none of th...

Ben F · 08-13-2018

For a route based VPN you won't need the crypto map on the outside interface. I don't think the group-policy is needed either. If using PSK then you will still want to keep the tunnel-group portion. I have just set one of these up for the first time ...

Member Since	‎02-27-2013 02:09 PM
Date Last Visited	‎12-11-2018 12:48 PM
Posts	30

User Statistics

User Activity

IKEv2 VTI to Azure

ASA 5506-Intra-interface traffic with 2 subnets

ASA 5506 outside access

DAI command options

ASA routing with S2S VPN

Re: CSCud22276 - ENH Multiple Peers support for IKEv2

Re: Hi All,

Re: Failover Site-to-Site IPSec VTI Tunnels Between two ASA 9.7(1) using CLI

Re: [AnyConnect] No valid certificates available for authentication

Re: Hi Guys,