cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4296
Views
235
Helpful
115
Replies
wynneitmgr
Participant

VPN Connectivity

We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.

 

I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!

 

vpn1.png

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@wynneitmgr 

From the CLI you can use the following command to remove the old recipient and add a new recipient:-

 

no logging recipient-address xxxx@xxxx.com level alerts
logging recipient-address yyyy@xxxx.com level alerts

 

View solution in original post

115 REPLIES 115
Rob Ingram
VIP Mentor

Hi @wynneitmgr 

Did you actually want the command syntax or just complete the bits in yellow that are missing?

Here is the IKEv2 information, including the missing yellow bits you could use:-

 

IKEv2 Policy

Encryption: AES-256
Integrity: SHA-256
Pre-Shared Key: Make this up yourself
DH Group: 19
PRF: SHA256
Lifetime: 86400

 

IKEv2 IPSec Proposal

Encapsulation: ESP
Encryption: AES-256
Integrity: SHA-256
Lifetime: 28800

@Rob Ingram 

Thanks Rob!

 

I would like help with setting up the VPN is ASDM. As I have never really done the VPN setup part. I want to make sure not to do anything that would conflict with our current employee VPN.

Rob Ingram
VIP Mentor

Ok. take a backup before you make the configuration changes.

 

It shouldn't conflict, you can run both in parallel.

Use this guide here if you are going to configure the Site-to-Site VPN using ASDM, when prompted select the encryption, integrity etc values as specified above.

 

 

Any problems please upload the configuration

HTH

@Rob Ingram 

 

I am logged into ASDM 7.9 and am trying to use the VPN Wizard to help guide me. Is the Peer address my client's IP?

Rob Ingram
VIP Mentor

No, the peer address is the IP address of the other firewall (the 3rd party) you are attempting to establish a VPN with.

@Rob Ingram 

I entered the Peer IP, now on the Traffic to protect, do I want to put Inside for Local and outside for Remote?

vpn2.png

Rob Ingram
VIP Mentor

The local network is your internal/inside network(s) and remote is the inside/internal network(s) of the peer/3rd party's network.

@Rob Ingram 

 

Yes, that makes sense. I know my internal network to use for Local Network, how do I know the internal network of the peer? They gave me their Peer address which I used at the beginning of the wizard and then also gave me two Host addresses. Thanks again for your help, I appreciate it!!

vpn3.png

Rob Ingram
VIP Mentor

I expect the remote networks are those 2 HOST addresses (production and QA).

 

@Rob Ingram 

 

How do I add 2 addresses to the Remote Network field? 

 

I ended up creating a new Network Object that had an IP range that for the two addresses. Does that sound right?

Rob Ingram
VIP Mentor

It would probably be better to define 2 objects, then add those network objects to a network object group.

This would probably mirror what the peer has configured, rather than a range.

 

@Rob Ingram 

 

Okay, so I created the two addresses as two separate Network Objects, then made a Network Object Group and added the two new Network Objects. Now, I am on to the Security step, I think I need to do the IKE version 2 and add a Pre-share Key.

Rob Ingram
VIP Mentor

Yes. Referring back to the initial post, the missing yellow bits will need to be confirmed with the peer, as they will need to match exactly. The Pre-shared key will also need to match.

@Rob Ingram 

 

At the Security step, I have added Pre-shared keys. Is that all I need on this step?

 

vpn6.png

Content for Community-Ad