Solved: VPN Connectivity - Page 3

wynneitmgr · ‎10-12-2020

We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.

I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!

Rob Ingram · ‎10-21-2020

Does it not display them on the console?

What logging do you have enabled?

wynneitmgr · ‎10-21-2020

@Rob Ingram

Nothing shows on the console. How do I enable logging? Can I do that in ASDM?

Rob Ingram · ‎10-21-2020

I assume you are connecting via SSH, if so enter these commands:

logging enable

logging monitor notifications

logging buffer-size 16000

With those debug commands previously configured, run a ping for a while, this should generate some debug logs. Once you've finished generating the debugs, turn off debugging using the command "undeb all".

wynneitmgr · ‎10-21-2020

@Rob Ingram

Not sure what I am doing wrong? I am using Putty

Rob Ingram · ‎10-21-2020

You need to enter the command "conf t" and then you can enter those commands

wynneitmgr · ‎10-21-2020

@Rob Ingram

Where do I find the debug messages?

Rob Ingram · ‎10-21-2020

You need to ping from WYNNEAPP1 server to the Comdata server.

If you ping from the ASA itself, it won't match the local address you defined when configuring the VPN.

wynneitmgr · ‎10-21-2020

@Rob Ingram

I had all the logging enabled using Putty. Then I ping'd the IPs from WYNNEAPPS1 but nothing showed up in the console on Putty. Where should I be looking for the debug messages?

Aref Alsouqi · ‎10-22-2020

Logs won't show up on the screen unless you configure a monitor logging, debugs instead should show up when you enable them. However, you need to generate some interesting traffic before you can see the crypto IKE debugs. Try to use packet-tracer to simulate some VPN traffic:

packet-tracer input <internal interface> icmp <local endpoint IP> 8 0 <remote endpoint IP>

Rob Ingram · ‎10-21-2020

It should appear in putty. One potentially reason the logs don't appear is if your ACL is incorrect and the traffic does not match and therefore not trigger the tunnel.

Can you please provide your configuration file and I'll have a look.

wynneitmgr · ‎10-21-2020

@Rob Ingram

Are you wanting the VPN configuration file? How do I export that from ASDM?

Rob Ingram · ‎10-22-2020

In ASDM navigate to Tools > Backup Configurations. I don't need the full configuration, just the running-configuration. Save as a file and upload the file for review.

wynneitmgr · ‎10-22-2020

Attaching here the configuration backup. Let me know what you see. Thank you!!

Rob Ingram · ‎10-22-2020

You need to slightly tweak your NAT exemption rule, as there is another more specific rule for "WYNNEAPPS" that is above it.

Copy and paste the below

no nat (inside,outside) after-auto source static WYNNEAPPS1 WYNNEAPPS1 destination static COMDATA COMDATA no-proxy-arp
nat (inside,outside) source static WYNNEAPPS1 WYNNEAPPS1 destination static COMDATA COMDATA no-proxy-arp

Run your test ping again from 10.0.0.3.

wynneitmgr · ‎10-22-2020

@Rob Ingram

Will this affect any connections I already have with WYNNEAPPS1, I dont want to interfere with other connections. Thank you!!