06-18-2010 03:41 PM
Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan. Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security. Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.
Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.
Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.
06-24-2010 10:51 AM
Hi Syed,
Made the change you recommended, still unable to ping anything including the inside gateway. Here is the rest of your request.
FW-AVANT# sho crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 69.30.33.246
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.32.20/255.255.255.255/0/0)
current_peer: 69.30.17.149, username: avnt.admin
dynamic allocated peer ip: 172.16.32.20
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 12
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 12, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 69.30.33.246, remote crypto endpt.: 69.30.17.149
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 52113B0C
inbound esp sas:
spi: 0xD88B7A84 (3633019524)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28689
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00001FFF
outbound esp sas:
spi: 0x52113B0C (1376860940)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 28688
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
FW-AVANT# sho crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 69.30.17.149
Type : user Role : responder
Rekey : no State : AM_ACTIVE
06-24-2010 10:56 AM
Counters on the ASA side looks good as I can see encaps as well as decaps. Now we need to check the client side. Can you pls right click on the yellow color "lock" icon in your right system tray.( it should show lock when your connection is up)
Right click ->Statistic tab->encaps/decaps counter
What so you see there?
Thanks
-Syed
06-24-2010 11:11 AM
06-24-2010 11:14 AM
ASA is sending the packets as we saw 12 encrypts but this client is not receiving the packets as the Decrypt is 0. check the path in the direction between ASA to the client and see if anyone is blocking the VPN traffic.
thanks
-Syed
06-23-2010 03:04 PM
What all switching scheme are available on Cisco ASA 5520 Firewall ?
Sunny
06-24-2010 10:12 AM
Hi Sunny,
can you pls elaborate more on your questiosn?
are you looking to find if ASA support cut-through / store and forward switching mechanism or something else?
thanks
-Syed
06-24-2010 01:59 AM
Hi There.
My question is about configuring ASA 6510 with an IOS version 8.3. How do i achieve Vlans seperations using the said ASA? In the global mode, i didnt find the option of Vlans configs but subinterfaces vlans was there.Can it be possible?
I encounted enormous problem trying to separate Voice and Data.Also i wanted to make it a DHCP server but it didn't work. I saw a warning i was runnning a higher IOS version of 8.3 and it was not compatible with hardware unless i upgrade my RAM to 1Gb.
Please guide me or Give me the whole clue about this firewall configs expecially Configuring Voice n Data Vlans and making ASA a dhcp server.
Regards
06-24-2010 09:13 AM
Hi Kipyegon
ASA 8.3 needs memory upgrade for certain models and 5510 is one of them. You can refer this link
http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp321918
For vlans, you have to configure it in the interface and dot1q trunking is enabled by default.
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/intrface.html#wp1082576
If you dont need any new features added in 8.3, I would suggest you can try with previous versions 8.2 or 8.0 to check with DHCP.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/dhcp.html#wp1115148
Thanks
Sundar
06-24-2010 05:33 AM
Hello and thanks for this session as well as any assistance you can provide.
We have a web site that is currently protected by a PIX which we are upgrading to an ASA 5520. Attacks are now being attempted by trying to access folders and files outside the web site folders and files. Will either the AIP or the CSC module allow us to block attempts to access files and folders outside of those we allow access to?
Ron Tregaskis
06-24-2010 07:34 AM
I've been using a Cisco VPN Concentrator 3030 for years. Now I'm migrating to ASA. And some features disappear. I want to know if Cisco will put this features on ASA?
- PPTP connection;
- traffic shapping by user? On Concentrator 3030 I can put a default police for all users. Each user may have 192k for each session. I can't do this on ASA. If I put this, all sessions share 192k.
- traffic shapping in a group-tunnel. On asa I can use just in one direction. For example in a input traffic. But I can't do this on output traffic.
06-25-2010 02:53 AM
PPTP support is not yet planned on the ASA and i dont see any change in the policy in near future as well.
i understand the limitation on ASA however one of the workaround on ASA is to use "match flow ip destination". You have to use this with match tunnel-group. This combination is one of few possible multiple match statement. With "match flow ip destination", it will police the traffic per destination base thus per client.
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/m.html#wp1977191
hope this helps.
thanks
-Syed
06-24-2010 02:01 PM
Hi
I have a dude:
I have an ASA5510 in my main site, and a client with DSL Internet with IP Dinamic and DynDNS
I want a VPN between my DSL Client with DynDNS and the ASA5510, is it possible??
Best Regards!!
06-24-2010 02:18 PM
Is your requirement include site to site vpn or Remote access vpn?
You can have remote access vpn with the remote site with dynamic IP address.
If you want to have Lan-to-Lan vpn then it can be configured to be initiated by the remote site only. Your ASA cannot initiate the tunnel based on dynamic IP. This feature of defining peer address with dynamic keyword is available in IOS but not on ASA yet.
crypto map MYMAP 10 set peer peer.company.com dynamic
its documented in the enhancement request
CSCsc74898 Feature request: real-time name resolution for IPSec tunnel peers
Hope this answers your question.
Thakns
-Syed
06-24-2010 11:28 PM
Hello,
I want to set up an ipsec gateway for site-to-site ipsec vpn connectivity, the gateway should support different customers with independent nat statements.
The ipsec gateway should use one public ip address for an outside fvrf, this fvrf or the corresponding different customer ipsec tunnels should be mapped to different ivrfs with independent nat statements.
I have problems with the nat statement, because it is not possible to configure a NAT statement with the same IP address used in ivrf:
ipsec-gw#sh run | in nat
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001
ipsec-gw#
ipsec-gw#
ipsec-gw#
ipsec-gw#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ipsec-gw(config)#ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002
% similar static entry (10.79.50.13 -> 10.79.1.1) already exists
ipsec-gw(config)#
Platform is: Cisco 3745 with AIM-VPN/HPII
IOS version: c3745-advsecurityk9-mz.124-25b.bin
with the match-in-vrf command in the nat statement it is possible to have two
statements pointing to the same local inside address in different vrfs:
ipsec-gw#sh run | in static
ip nat inside source static 10.79.50.13 10.79.1.1 vrf inside-group001 extendable match-in-vrf
ip nat inside source static 10.79.43.13 10.79.1.1 vrf inside-group002 extendable match-in-vrf
ip nat outside source static 192.168.1.1 10.79.2.2 vrf inside-group001 extendable match-in-vrf
ipsec-gw#
But with this configuration the communication is not possible because the ipsec peer address of this gateway is in an other vrf (fvrf), thus match-in-vrf does not work.
ipsec-gw#ping vrf inside-group001 10.79.2.2 source 10.79.50.13
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.79.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.79.50.13
*Sep 7 21:56:19.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [25]
*Sep 7 21:56:19.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [25].
*Sep 7 21:56:21.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [26]
*Sep 7 21:56:21.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [26].
*Sep 7 21:56:23.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [27]
*Sep 7 21:56:23.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [27].
*Sep 7 21:56:25.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [28]
*Sep 7 21:56:25.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [28].
*Sep 7 21:56:27.831: NAT: s=10.79.50.13->10.79.1.1, d=10.79.2.2 [29]
*Sep 7 21:56:27.831: NAT: s=10.79.1.1, d=10.79.2.2->192.168.1.1 [29].
Success rate is 0 percent (0/5)
ipsec-gw#
Does anyone know a solution??
06-25-2010 07:38 AM
Hi
Can you please provide some status on ipsec tunnel ? Is it failing in negotiation or tunnel comes up fine but you dont see any encrypts ? If you can post your configuration from ipsec gateway, it would help.
Thanks
Sundar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide