Re: ASK THE EXPERTS - IP SECURITY VPN - Page 3

ciscomoderator · ‎06-18-2010

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan. Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security. Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

es-netops · ‎06-24-2010

Hi Syed,

Made the change you recommended, still unable to ping anything including the inside gateway. Here is the rest of your request.

FW-AVANT# sho crypto ipsec sa
interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 69.30.33.246

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.32.20/255.255.255.255/0/0)
      current_peer: 69.30.17.149, username: avnt.admin
      dynamic allocated peer ip: 172.16.32.20

      #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 69.30.33.246, remote crypto endpt.: 69.30.17.149

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 52113B0C

    inbound esp sas:
      spi: 0xD88B7A84 (3633019524)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 36864, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28689
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00001FFF
    outbound esp sas:
      spi: 0x52113B0C (1376860940)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 36864, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 28688
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

FW-AVANT# sho crypto isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 69.30.17.149
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

sziaulla · ‎06-24-2010

Counters on the ASA side looks good as I can see encaps as well as decaps. Now we need to check the client side. Can you pls right click on the yellow color "lock" icon in your right system tray.( it should show lock when your connection is up)

Right click ~~->Statistic tab~~->encaps/decaps counter

What so you see there?

Thanks

-Syed

es-netops · ‎06-24-2010

see attached screen shot.

sziaulla · ‎06-24-2010

ASA is sending the packets as we saw 12 encrypts but this client is not receiving the packets as the Decrypt is 0. check the path in the direction between ASA to the client and see if anyone is blocking the VPN traffic.

thanks

-Syed

sk2317 · ‎06-23-2010

What all switching scheme are available on Cisco ASA 5520 Firewall ?

Sunny

sziaulla · ‎06-24-2010

Hi Sunny,

can you pls elaborate more on your questiosn?

are you looking to find if ASA support cut-through / store and forward switching mechanism or something else?

thanks

-Syed

Kipyegon Kilele · ‎06-24-2010

Hi There.

My question is about configuring ASA 6510 with an IOS version 8.3. How do i achieve Vlans seperations using the said ASA? In the global mode, i didnt find the option of Vlans configs but subinterfaces vlans was there.Can it be possible?

I encounted enormous problem trying to separate Voice and Data.Also i wanted to make it a DHCP server but it didn't work. I saw a warning i was runnning a higher IOS version of 8.3 and it was not compatible with hardware unless i upgrade my RAM to 1Gb.

Please guide me or Give me the whole clue about this firewall configs expecially Configuring Voice n Data Vlans and making ASA a dhcp server.

Regards

sunsrini · ‎06-24-2010

Hi Kipyegon

ASA 8.3 needs memory upgrade for certain models and 5510 is one of them. You can refer this link

http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp321918

For vlans, you have to configure it in the interface and dot1q trunking is enabled by default.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/intrface.html#wp1082576

If you dont need any new features added in 8.3, I would suggest you can try with previous versions 8.2 or 8.0 to check with DHCP.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115148

Thanks

Sundar

rtregaskis · ‎06-24-2010

Hello and thanks for this session as well as any assistance you can provide.

We have a web site that is currently protected by a PIX which we are upgrading to an ASA 5520. Attacks are now being attempted by trying to access folders and files outside the web site folders and files. Will either the AIP or the CSC module allow us to block attempts to access files and folders outside of those we allow access to?

Ron Tregaskis

Fernando Patzlaff · ‎06-24-2010

I've been using a Cisco VPN Concentrator 3030 for years. Now I'm migrating to ASA. And some features disappear. I want to know if Cisco will put this features on ASA?

- PPTP connection;

- traffic shapping by user? On Concentrator 3030 I can put a default police for all users. Each user may have 192k for each session. I can't do this on ASA. If I put this, all sessions share 192k.

- traffic shapping in a group-tunnel. On asa I can use just in one direction. For example in a input traffic. But I can't do this on output traffic.

sziaulla · ‎06-25-2010

PPTP support is not yet planned on the ASA and i dont see any change in the policy in near future as well.

i understand the limitation on ASA however one of the workaround on ASA is to use "match flow ip destination". You have to use this with match tunnel-group. This combination is one of few possible multiple match statement. With "match flow ip destination", it will police the traffic per destination base thus per client.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1977191

hope this helps.

thanks

-Syed

cesquivel58 · ‎06-24-2010

Hi

I have a dude:

I have an ASA5510 in my main site, and a client with DSL Internet with IP Dinamic and DynDNS

I want a VPN between my DSL Client with DynDNS and the ASA5510, is it possible??

Best Regards!!

sziaulla · ‎06-24-2010

Is your requirement include site to site vpn or Remote access vpn?

You can have remote access vpn with the remote site with dynamic IP address.

If you want to have Lan-to-Lan vpn then it can be configured to be initiated by the remote site only. Your ASA cannot initiate the tunnel based on dynamic IP. This feature of defining peer address with dynamic keyword is available in IOS but not on ASA yet.

crypto map MYMAP 10 set peer peer.company.com dynamic

its documented in the enhancement request

CSCsc74898 Feature request: real-time name resolution for IPSec tunnel peers

Hope this answers your question.

Thakns

-Syed

gadholwi1 · ‎06-24-2010

Hello,

I want to set up an ipsec gateway for site-to-site ipsec vpn connectivity, the gateway should support different customers with independent nat statements.

The ipsec gateway should use one public ip address for an outside fvrf, this fvrf or the corresponding different customer ipsec tunnels should be mapped to different ivrfs with independent nat statements.

I have problems with the nat statement, because it is not possible to configure a NAT statement with the same IP address used in ivrf:

ipsec-gw#sh run | in nat
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001
ipsec-gw#
ipsec-gw#
ipsec-gw#
ipsec-gw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ipsec-gw(config)#ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002
% similar static entry (10.79.50.13 -> 10.79.1.1) already exists
ipsec-gw(config)#

Platform is: Cisco 3745 with AIM-VPN/HPII

IOS version: c3745-advsecurityk9-mz.124-25b.bin

with the match-in-vrf command in the nat statement it is possible to have two
statements pointing to the same local inside address in different vrfs:

ipsec-gw#sh run | in static
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001 extendable match-in-vrf
ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002 extendable match-in-vrf
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001 extendable match-in-vrf
ipsec-gw#

But with this configuration the communication is not possible because the ipsec peer address of this gateway is in an other vrf (fvrf), thus match-in-vrf does not work.

ipsec-gw#ping vrf inside-group001 10.79.2.2 source 10.79.50.13

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.79.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.79.50.13

*Sep 7 21:56:19.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [25]
*Sep 7 21:56:19.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [25].
*Sep 7 21:56:21.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [26]
*Sep 7 21:56:21.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [26].
*Sep 7 21:56:23.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [27]
*Sep 7 21:56:23.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [27].
*Sep 7 21:56:25.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [28]
*Sep 7 21:56:25.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [28].
*Sep 7 21:56:27.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [29]
*Sep 7 21:56:27.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [29].
Success rate is 0 percent (0/5)
ipsec-gw#

Does anyone know a solution??

sunsrini · ‎06-25-2010

Hi

Can you please provide some status on ipsec tunnel ? Is it failing in negotiation or tunnel comes up fine but you dont see any encrypts ? If you can post your configuration from ipsec gateway, it would help.

Thanks

Sundar