Hi Experts,    When using NAT-T, we're using Private address in the " match identity address" command. If we replace this private IP with the Public IP (1.2.3.4), the tunnel doesn't come up. Can someone please assist how NAT-T working in the match identity address statements. Thanks in advance   Configs ==== Hub-Router #  crypto keyring OUR_KEYRING   pre-shared-key address 1.2.3.4 key <key>   crypto isakmp profile PROFILE_NAME    vrf TEST    keyring OUR_KEYRING    match identity address 10.0.0.1 255.255.255.255   crypto map OUR_MAP  ipsec-isakmp   set peer 1.2.3.4   set isakmp-profile PROFILE_NAME     Cheers, Sri ... View more

Hi Experts,    We've configured Remote Access IPSEC VPN on ASA (9.1). Users are configured to use VPN client. From the various blogs, I see " crypto isakmp nat-traversal"command is required for NAT-T but I don't see any configs relating to NAT-Traversal in ASA.  Please assist.   1.Is NAT-T allowed by default in ASA...? 2.Should we need to allow UDP-4500 in Outside Interface ACL...? ASA # show vpn-sessiondb ra-ikev1-ipsec Session Type: IKEv1 IPsec Username : 12345 Index : 10489 Assigned IP : XX.198.175.30 Public IP : XX.242.13.39 Protocol : IKEv1 IPsecOverNatT                           ---------->>>> License : Other VPN Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES128 Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 Bytes Tx : 40104101 Bytes Rx : 2774721 Group Policy : GroupVPN   Tunnel Group : GroupVPN Login Time : 03:10:53 EDT Sun Oct 21 2018 Duration : 2h:09m:30s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A ... View more

Hi Experts,    We've configured Remote Access IPSEC VPN on ASA (9.1). From the various blogs, I see " crypto isakmp nat-traversal" command is required but I don't see any configs relating to NAT-T in ASA.   1.Is NAT-T allowed by default in ASA... 2.Should we need to allow UDP-4500 in Outside Interface ACL...?   Please assist.     ASA # show vpn-sessiondb ra-ikev1-ipsec Session Type: IKEv1 IPsec Username : 12345 Index : 10489 Assigned IP : XX.198.175.30 Public IP : XX.242.13.39 Protocol : IKEv1 IPsecOverNatT          ---------->>>> License : Other VPN Encryption : IKEv1: (1)AES256 IPsecOverNatT: (1)AES128 Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 Bytes Tx : 40104101 Bytes Rx : 2774721 Group Policy : GroupVPN   Tunnel Group : GroupVPN Login Time : 03:10:53 EDT Sun Oct 21 2018 Duration : 2h:09m:30s Inactivity : 0h:00m:00s NAC Result : Unknown VLAN Mapping : N/A ... View more

Hi Experts,    We've multiple ASA's with the CSM (Cisco Security Manager) and not all firewalls are CSM managed.    Is there any way to find from ASA CLI that device managed by CSM... ... View more

Hi Experts,    Can someone please assist the difference between Remote Access VPN vs Remote Access IPSEC VPN with their differences or similarities.    Because both configs and functionalities looks similar and both the VPN's are connected using Anyconnect and provide IP addresses for the connecting users from local Pool.  Any difference in functionalities. Thanks   tunnel-group IPSEC-Remote-VPN ipsec-attributes ikev1 pre-shared-key 123456   tunnel-group ANYCONNECT-PROFILE webvpn-attributes ASA(config-tunnel-webvpn)# group-alias ANYCONNECT-PROFILE enable   ... View more

Hi Experts,    We've 3 zones called Inside, DMZ and Outside. We're doing PAT for  Inside users to reach out to Internet using External Interface public IP .   We've applied ACL's on all interfaces (In->Out, Out-In, Out-DMZ, DMZ-In).   My query is, I see only PAT rules in place to happen and NO ACL on Inside Interface to allow the traffic on firewall . Since there is implicit deny at the very end of ACL, by default it'll drop and not sure how it works.  Even in Cisco docs, I don't see any ACL's being configured or mentioned related to PAT. Please assist   object network inside-subnet subnet 192.168.0.0 255.255.255.0 nat (inside,outside) dynamic interface     Regards, Srinivasan ... View more