cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2119
Views
235
Helpful
115
Replies
Highlighted
Beginner

VPN Connectivity

We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.

 

I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!

 

vpn1.png

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Mentor

@wynneitmgr 

From the CLI you can use the following command to remove the old recipient and add a new recipient:-

 

no logging recipient-address xxxx@xxxx.com level alerts
logging recipient-address yyyy@xxxx.com level alerts

 

View solution in original post

115 REPLIES 115
Highlighted
VIP Mentor

Hi @wynneitmgr 

Did you actually want the command syntax or just complete the bits in yellow that are missing?

Here is the IKEv2 information, including the missing yellow bits you could use:-

 

IKEv2 Policy

Encryption: AES-256
Integrity: SHA-256
Pre-Shared Key: Make this up yourself
DH Group: 19
PRF: SHA256
Lifetime: 86400

 

IKEv2 IPSec Proposal

Encapsulation: ESP
Encryption: AES-256
Integrity: SHA-256
Lifetime: 28800

Highlighted

@Rob Ingram 

Thanks Rob!

 

I would like help with setting up the VPN is ASDM. As I have never really done the VPN setup part. I want to make sure not to do anything that would conflict with our current employee VPN.

Highlighted
VIP Mentor

Ok. take a backup before you make the configuration changes.

 

It shouldn't conflict, you can run both in parallel.

Use this guide here if you are going to configure the Site-to-Site VPN using ASDM, when prompted select the encryption, integrity etc values as specified above.

 

 

Any problems please upload the configuration

HTH

Highlighted

@Rob Ingram 

 

I am logged into ASDM 7.9 and am trying to use the VPN Wizard to help guide me. Is the Peer address my client's IP?

Highlighted
VIP Mentor

No, the peer address is the IP address of the other firewall (the 3rd party) you are attempting to establish a VPN with.

Highlighted

@Rob Ingram 

I entered the Peer IP, now on the Traffic to protect, do I want to put Inside for Local and outside for Remote?

vpn2.png

Highlighted
VIP Mentor

The local network is your internal/inside network(s) and remote is the inside/internal network(s) of the peer/3rd party's network.

Highlighted

@Rob Ingram 

 

Yes, that makes sense. I know my internal network to use for Local Network, how do I know the internal network of the peer? They gave me their Peer address which I used at the beginning of the wizard and then also gave me two Host addresses. Thanks again for your help, I appreciate it!!

vpn3.png

Highlighted
VIP Mentor

I expect the remote networks are those 2 HOST addresses (production and QA).

 

Highlighted

@Rob Ingram 

 

How do I add 2 addresses to the Remote Network field? 

 

I ended up creating a new Network Object that had an IP range that for the two addresses. Does that sound right?

Highlighted
VIP Mentor

It would probably be better to define 2 objects, then add those network objects to a network object group.

This would probably mirror what the peer has configured, rather than a range.

 

Highlighted

@Rob Ingram 

 

Okay, so I created the two addresses as two separate Network Objects, then made a Network Object Group and added the two new Network Objects. Now, I am on to the Security step, I think I need to do the IKE version 2 and add a Pre-share Key.

Highlighted
VIP Mentor

Yes. Referring back to the initial post, the missing yellow bits will need to be confirmed with the peer, as they will need to match exactly. The Pre-shared key will also need to match.

Highlighted

@Rob Ingram 

 

At the Security step, I have added Pre-shared keys. Is that all I need on this step?

 

vpn6.png