Solved: VPN Connectivity - Page 2

wynneitmgr · ‎10-12-2020

We currently have a VPN setup for our users when they are on the road or working from home using Cisco AnyConnect. We have the VPN setup on our ASA 5508 Firewall.

I now have a client that we send data to that needs us to setup a VPN for the connection. I was wondering if there was anyone out there that would be able to help me create the VPN (IKEv1 or IKEv2) and fill out this VPN questionnaire. Thank you in advance!!

Rob Ingram · ‎10-14-2020

Yes, you don't need configure any certificate information.

Obviously that pre-shared keys needs to be the same key used by the peer.

wynneitmgr · ‎10-14-2020

@Rob Ingram

Yes, peer will use the same key.

Here is what the finished VPN looks like.

Rob Ingram · ‎10-14-2020

Ok, well you've selected all ciphers for IKEv1 and IKEv2, so it's bound to match one of them!!!

Did you create a NAT exemption rule to ensure traffic from your local network to the remote networks (those 2 ip addresses) are not natted?

wynneitmgr · ‎10-14-2020

@Rob Ingram

No, I did not create NAT exemption rule. What should that look like?

Also, They are wanting our IP address, which I believe is our Public IP. And then our HOST address, not sure what this is?

Rob Ingram · ‎10-14-2020

Correct, the public IP address.

The host address is the private IP address(es) of the computers accessing the peer network, which would be your internal/inside networks. It looks like they want each individual IP address (which is what a /32 represents). So for example if you have 5 computers accessing their VPN, you will define 5 host ip addresses in a network object. Your configuration needs to match exactly what they've configured.

NAT Exemption rule would look something like this:

wynneitmgr · ‎10-14-2020

@Rob Ingram

Here is what I made for NAT rule:

Rob Ingram · ‎10-14-2020

Ok, looks ok. So as long as "wynneapps1" represents the host(s) on your internal network and "Comdata" represents the hosts on the remote network, then this traffic would not be natted.

You'll need to ensure you are using those objects in the configuration of the VPN, these host objects should mirror the peers configuration.

wynneitmgr · ‎10-14-2020

@Rob Ingram

Okay, thanks for all your help! I will send the info over to them so they can test. I'll let you know how it goes or if I have any additional questions.

wynneitmgr · ‎10-21-2020

@Rob Ingram

So now that I have the VPN all configured on my Firewall, how do I test the VPN connection is working? I was thinking just ping the IP addresses, is that correct? Or is there another way to test the VPN connection?

Rob Ingram · ‎10-21-2020

Yes, run a ping from WYNNEAPP1 to Comdata IP address

If the ping doesn't work, from the CLI run "show crypto ipsec sa" and provide the output for review.

wynneitmgr · ‎10-21-2020

@Rob Ingram

I was unable to ping 2 of the IP addresses.

Here is the output from the CLI "show crypto ipsec sa"

There are no ipsec sas

Rob Ingram · ‎10-21-2020

Ok, I assume there is no output from "show crypto ikev2 sa" either?

Can you turn on debugs "debug crypto ikev2 platform 128", "debug crypto ikev2 protocol 128" and provide the output for review please.

wynneitmgr · ‎10-21-2020

@Rob Ingram

Yes same thing on "show crypto ikev2 sa": There are no IKEv2 SAs

Not getting anything on debug

Rob Ingram · ‎10-21-2020

Sorry, I wasn't clear. After you entered those 2 debug commands, run the ping again. This will hopefully generate traffic and attempt to establish a VPN tunnel, this should provide a load of debug messages.

wynneitmgr · ‎10-21-2020

@Rob Ingram

I ran those 2 commands again and then tried to ping. Where will I find the debug messages?