10-12-2020 07:48 AM
We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.
I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!
Solved! Go to Solution.
11-27-2020 06:38 AM
From the CLI you can use the following command to remove the old recipient and add a new recipient:-
no logging recipient-address xxxx@xxxx.com level alerts
logging recipient-address yyyy@xxxx.com level alerts
10-12-2020 08:03 AM
Hi @wynneitmgr
Did you actually want the command syntax or just complete the bits in yellow that are missing?
Here is the IKEv2 information, including the missing yellow bits you could use:-
IKEv2 Policy
Encryption: AES-256
Integrity: SHA-256
Pre-Shared Key: Make this up yourself
DH Group: 19
PRF: SHA256
Lifetime: 86400
IKEv2 IPSec Proposal
Encapsulation: ESP
Encryption: AES-256
Integrity: SHA-256
Lifetime: 28800
10-12-2020 08:14 AM
Thanks Rob!
I would like help with setting up the VPN is ASDM. As I have never really done the VPN setup part. I want to make sure not to do anything that would conflict with our current employee VPN.
10-12-2020 08:21 AM
Ok. take a backup before you make the configuration changes.
It shouldn't conflict, you can run both in parallel.
Use this guide here if you are going to configure the Site-to-Site VPN using ASDM, when prompted select the encryption, integrity etc values as specified above.
Any problems please upload the configuration
HTH
10-12-2020 11:11 AM
I am logged into ASDM 7.9 and am trying to use the VPN Wizard to help guide me. Is the Peer address my client's IP?
10-12-2020 11:26 AM
No, the peer address is the IP address of the other firewall (the 3rd party) you are attempting to establish a VPN with.
10-12-2020 12:43 PM
I entered the Peer IP, now on the Traffic to protect, do I want to put Inside for Local and outside for Remote?
10-12-2020 12:45 PM
The local network is your internal/inside network(s) and remote is the inside/internal network(s) of the peer/3rd party's network.
10-12-2020 12:53 PM
Yes, that makes sense. I know my internal network to use for Local Network, how do I know the internal network of the peer? They gave me their Peer address which I used at the beginning of the wizard and then also gave me two Host addresses. Thanks again for your help, I appreciate it!!
10-12-2020 12:57 PM
I expect the remote networks are those 2 HOST addresses (production and QA).
10-12-2020 01:04 PM - edited 10-12-2020 01:04 PM
How do I add 2 addresses to the Remote Network field?
I ended up creating a new Network Object that had an IP range that for the two addresses. Does that sound right?
10-12-2020 01:07 PM
It would probably be better to define 2 objects, then add those network objects to a network object group.
This would probably mirror what the peer has configured, rather than a range.
10-12-2020 01:18 PM
Okay, so I created the two addresses as two separate Network Objects, then made a Network Object Group and added the two new Network Objects. Now, I am on to the Security step, I think I need to do the IKE version 2 and add a Pre-share Key.
10-12-2020 01:32 PM
Yes. Referring back to the initial post, the missing yellow bits will need to be confirmed with the peer, as they will need to match exactly. The Pre-shared key will also need to match.
10-14-2020 06:26 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide