Hi Nihal,   Thanks for sharing your observations and you are spot on! VPN migration and ability to apply NGFW (File/IPS Policy) on rule/s is in road-map and will be implemented as and when APIs are made available (VPN).   Thanks, Santhosh ... View more

Hi Nihal,   Lets name FTD's as FTD1 and FTD2. For an ASA-HA pair, we recommend migrating Active-ASA's config to FTD1 (without HA created on FMC). Post migration, create HA pair on FMC by choosing FTD1 as primary and FTD2 as secondary/standby unit (not vice-versa);  this way config available on FTD1 will be sync'd with FTD2 as part of HA.   Note: HA creation including standy-IP configuration is manual.   Let me know if this answers your query.   Regards, Santhosha Shetty ... View more

For L2L config: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119007-config-asa9x-ike-ipsec-00.html You can treat your ASA as Central-ASA. For RA-IPsec Config: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html#configasa The config guide was prepared using older ASA/ASDM code.If you are using new ASA code, use keywords ikev1 instead of isakmp(shown in doc for old ASA code) **Also note CISCO IPSEC Client (RA-VPN client) is no more supported, its already EOL and EOS Regards, Santhosh ... View more

Hi Hasan, What kind of RA VPN solution are you using? As stated in previous response, ANYCONNECT for RA and L2L can go together for same peer IP. If at all you want to terminate RA-Ipsec , then you can give it a shot by making both l2l and RA terminate using dynamic-map( this ASA will only act as responder to VPN connection) HTH, Santhosh ... View more

Hi  Joshuskarki, Following doc explains the use of tunnel-default route: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112182-ssl-tdg-config-example-00.html All it does it forward the packets received from tunnel to gateway mentioned in tunnel-default route. If the traffic fails , then troubleshoot it like any other traffic on upstream devices. Key thing would to make sure upstream device(before ISP) knows routing info of VPN pool, so return traffic can be forwarded back onto ASA. Do capture on ASA internal interface to check if its forwarding the request packets and receiving reply or not. BR Santhosh ... View more

Hi Mdy,   collect following along with ldap debug:   debug webvpn 127 debug webvpn any 127 debug dap trace 127 debug aaa common 127   ... to turn off the debugs " undebug all"   Regards, Santhosh ... View more

Hi,   Irrespective of kind of vpn( RA, Site to site) vpn connection has to pick a tunnel-group if its has to succeed. If there is no specific group configured for either for IP or a string , the connection will always fall under default group. ASA has default group for RA-vpn and l2l-vpn. You can use those group as base for Qos.   HTH. Santhosh ... View more

Hi,   FYI: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-2mt/sec-conn-dmvpn-per-tunnel-qos.html#GUID-182BD32F-56D4-479C-BFEF-B9738291E046   The Qos policy will be applied only on HUB router, henceforth traffic shaping/policing happens for traffic only on hub router.. You can apply different Qos policies based on NHRP group.   HTH Santhosh ... View more

Hi Mathew, Looks like ASA already has static VPN configured with lets say peer IP x.x.x.x and the dynamic-client connections are also coming using same source( i.e. x.x.x.x) ; *This is not a supported scenario* since ASA will not be able to negotiate two different IPSec SA’s for same peer matching two different crypto map. There already exist static map for peer x.x.x.x and when it comes to matching the group based on IP ,it always picks static map since it is placed above dynamic map. • Any specific reason you are using client based vpn even though there exist a site to site vpn between same two peers? • If at all you want to use client based vpn, you have to go for Anyconnect vpn.   HTH, Santhosh ... View more

Hi Jim,   You can use tunnel default route for vpn traffic: ASA(config)# route inside 0.0.0.0 0.0.0.0 <inside hop> tunneled configure mode commands/options:   <1-255>   Distance metric for this route, default is 1   track     Install route depending on tracked item   tunneled  Enable the default tunnel gateway option, metric is set to 255   This route is applicable for only vpn traffic.   HTH, Shetty ... View more

Hi, Any specific reason you want to assign an ip to ipsec client in the same subnet as internal server/lan? Regards, Shetty ... View more

Hi Mike, As per crypto access-list 115 , I see the allowed source subnet is actual LAN(172.17.x.x). One thing to note is when you configure NAT for vpn traffic , one will have to use source subnet in the crypto access-list as NATed IP subnet because crypto access-list look up happens after the NAT.   HTH,   Santhosh ... View more

Hi Joel, So if I understand right with static map you are trying to build site to site vpn over satellite link and as a back up you have configured dynamic-map to accept dynamic connection from peplink 3G device over same WAN connection ? If both the  tunnels are built over same WAN interface , do note that if suppose both peers try to build tunnel at same time  with router its going to keep only one ( since both peers presents same vpn network/proxy-id).   What exactly does happen whe you add dynamic profile? Lets say you have tunnel working fine with ASA and you add dynamic profile, does tunnel with ASA go down? Debug logs should tell us why a tunnel is torn down. debug crypto condition peer ipv4 <remote peer public IP> //** set the condition for both ASA and peplink device one by one.   collect following debugs:   debug cry isa debug cry ipsec   After collecting the debugs turn it off using "undebug all"   Thanks, Shetty     ... View more

Hi Joel, I see you have applied the same ACL -VPN-TRAFFIC under both static and dynamic map:   crypto dynamic-map dynmap 20  set transform-set 3desset  set pfs group2  set isakmp-profile dynprofile  match address VPN-TRAFFIC ! ! crypto map CMAP_CF 1 ipsec-isakmp  description Tunnel to46.183.191.1  set peer 46.183.191.1  set transform-set TS  set pfs group5  match address VPN-TRAFFIC crypto map CMAP_CF 20 ipsec-isakmp dynamic dynmap   Why would you need match address for dynamic-map ?   Regards, Shetty   ... View more