Solved: Re: VPN Connectivity - Page 8

wynneitmgr · ‎10-12-2020

We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.

I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!

Rob Ingram · ‎11-19-2020

Was the configuration saved previously? Was there power cut or was the ASA rebooted?

Login to the ASA via the CLI using putty, run the command write mem this should save the configuration to memory.

wynneitmgr · ‎11-19-2020

@Rob Ingram

Yes, I did save the configurations. It seems when the ASA was rebooted it lost the settings. Why do the settings get wiped with a reboot of the ASA, is there a way to stop that from happening?

Rob Ingram · ‎11-19-2020

If you saved the configuration it should save the full configuration.

Perform a test (out of hours) make a change, save the configuration and reboot. If the settings are lost then you could potentially have a hardware/software issue, in which case you'd have to log a call with TAC.

Before testing, take a full backup of the ASA.

wynneitmgr · ‎11-19-2020

@Rob Ingram

Okay, thanks!

What command do I need to run on CLI to check the connection? I cannot ping IP that I setup in NAT rules. It Times Out. I was looking back at the thread but wasnt sure which command it was for sure.

Rob Ingram · ‎11-19-2020

From memory, your traffic only permits traffic from the IP address of your server. Ideally you'd ping from that server or use the packet-tracer command to simulate the traffic - run the command twice.

wynneitmgr · ‎11-19-2020

@Rob Ingram

Result of the command: "show crypto ikev2 sa"

There are no IKEv2 SAs

wynneitmgr · ‎11-20-2020

@Rob Ingram

Would you be interested in helping me with the settings. I think since it was erased from ASDM, I have missed something when I set it up again. We could do a screen share. Let me know. Thank you!

Aref Alsouqi · ‎11-25-2020

Not sure if @Rob Ingram jumped into this already, if not, what specifically you think has been wiped out after the firewall reload? typically, if you save the config it should remain there, unless your device has a corrupted filesystem that does not allow storing the running config to the startup config. One easy way to verify this is to save, and then issuing the command show startup-config and check if the new changes are reflecting in there.

wynneitmgr · ‎11-27-2020

@Aref Alsouqi

@Rob Ingram

Thank you! Everything looks good when I run show startup-config, however, I did see a line that needs to be updated. Where would I update the email address in the line below? The user who's email is listed is no longer with the company. Thansk!

logging recipient-address xxxx@xxxx.com level alerts

wynneitmgr · ‎11-27-2020

@Aref Alsouqi

@Rob Ingram

I notice it only lets me choose one type of notification. How can I set more than one notification type for the same email address. I tried adding another one, but it said email address was already being used.

Rob Ingram · ‎11-27-2020

@wynneitmgr

From the CLI you can use the following command to remove the old recipient and add a new recipient:-

no logging recipient-address xxxx@xxxx.com level alerts
logging recipient-address yyyy@xxxx.com level alerts