cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6085
Views
62
Helpful
30
Replies

Ask the Expert - Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA)

ciscomoderator
Community Manager
Community Manager

Learn and ask questions regarding Firewall Security and  Troubleshooting VPN for Adaptive Security Appliance(ASA) . This event  will be a continuation of the live Facebook Forum.

Bhavik  Joshi is a Network Consulting Engineer with Service Provider Delivery  team in Bangalore and has more than 3 years of experience working with  security solutions implementation and troubleshooting network issues.

He  has been actively working on multi-vendor security device and migration  of multi-vendor security devices with cisco security solution. He also  holds a CCIE Security certification #26263.

Where:

Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity

When:

8:00 AM PST (San Francisco; UTC -7 hrs)

This corresponds to:

5:00 PM CET(Paris; UTC +1 hr)

9:00 PM PKT (Pakistan, UTC +5 hrs)

9:30 PM IST (India; UTC +5:30 hrs)

11:00 PM (Indonesia; UTC +7 hrs)

What is Facebook Forum?

Facebook  forums are online conversations, held at a pre-arranged time on our  Facebook page. It gives you an opportunity to interact with a live Cisco  expert and get more information about a particular technology, service  or product.

30 Replies 30

Anup Sasikumar
Level 1
Level 1

Hi Bhavik ,

I'm happy that this topic came up in Ask The Expert section.Most of my work involves setting up Site to Site VPN tunnels to securely access client locations. We have a Cisco ASA 5505 in place. Is it possible that I can restrict communication from client end to our location through the tunnel , ie , restrict access for client location machines from accessing our network? Can I use access lists for the same ? What access lists should I be configuring ?

Regards,

Anup

Regards,
Anup

You can actually do that very easily using the ACL for the the site to site VPN.  You can even get it down to the port level.

Hi Mohammad,

Great ! I should be reconfiguring  the access lists which defines the " interesting" traffic through the tunnel , right?

But I am just wondering , Let's say if I have the following setup

LAN1 (192.168.1.X)->(192.168.1.1- Inside) MainASA (Outside -1.1.1.1) ----- Internet -------(Outside -2.2.2.2) BranchASA  ( Inside - 192.168.2.1) ->LAN 2(192.168.2.X)

When I configure access lists for intresting traffic in Crypto map configuration , Is it necessary that I should be allowing traffic between ASA Inside IP address to establish a tunnel or since we are already specifying the Remote Peer details with the public IP of the ASA on the other end , allowing traffic to ASA Inside IP address is not required?

If I need to meet the follwing conidtions

1. All nodes in the main location should be able to access all nodes in Branch location

2. Branch location nodes should only be able access node 192.168.1.100 in Main location

Would the access list for interesting traffic to be defined in Cryptomap configuratios be

Main location

access-list MAIN2BRANCH extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Branch location

access-list BRANCH2MAIN extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.100

Would that also prevent the return traffic (lets say , ping reply ) from 192.168.2.X network when trying to access any node on Branch from Main location , which is not desired ?

Please help !

Regards,
Anup

Regards,
Anup

Hi Anup,

You can use the ACL with restricted source and destination IP. This ACL you have to use with you match address statement with the used crypto map

I have an ASA 5550 and the console port suddenly stopped allowing me to console and the management port no longer allows me to conole in. So that there is now question, The network cables and console cables work fine on other ASA's and network devices. I tried to reset the device by pushing the reset button but it doesn't appear to do anything, even after I reboot. Any help would be appreciated.

JOHN MURPHY
Level 1
Level 1

Hello Bhavik ,

I'm interested in learning how to troubleshoot Site-To-Site VPN's, IPSec and Web VPN. What material would you recommend to assist in this adventure.

Thanks

John

Hi Mohamad,

That's a very useful one ! Thanks for sharing !


Regards,
Anup

Regards,
Anup

Hi John,

There are too many technotes and debugging documents available on cisco websites, also refer books like Cisco VPN Troubleshooting & CCNP Security VPN official Cert Guide

kthned
Level 3
Level 3

Hi Bhavik,

I have to configure two cisco ASA 5520 in a redundant mode with IPv4 & IPv6 support for our VPN clients (runs Cisco ANy connect).  My questions are

  • Is IPv6 support available in the above setup ? if yes please share document.
  • Can it be possible to run both ASAs in Active-Active state. In case the one goes down, shall the associated vpn clients needs reconnection ?
  • Can you share helpful document for confguring ASA in redundant mode.

Thanks !

Regards,

Umair

Hi Syed,

Please refer the cisco document given below on the link. hope it help you to clear you doubts.

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/ha_active_active.pdf

deansakai1
Level 1
Level 1

Hi Bhavik,

My ASA5505 does not work properly when I click AJAX button; it should reload the new pages when I changed the contents. But not responding and nothing happen. I checked through the Cisco support community, I found some questions and answers related this problem, but not quietly solvedas the following links;      

ASA5505 Clientless SSL and Ajax issue
https://supportforums.cisco.com/message/3187376#3187376
CISCO ASA 5505 SSL VPN not able to display web pages properly with
Javascript
https://supportforums.cisco.com/message/3143207#3143207
WebVPN - SSL Portal - URL Rewrite
https://supportforums.cisco.com/message/3609935#3609935

CSCub09280 ASA Content rewrite HTML content was treated as ajax response

CSCtk95435 ASA rewriter: radcontrols based AJAX/ASP website not working properly

My question is: if I update the ASA-5505's ASA OS and the ASDM,
that would fix the problem?

Please help me!!

Here is the current ASA OS and ASDM version and I will try to the update version.


Cisco ASA-5505
ASA OS
current:8.4(2)
⇒to:9.1(1)

ASDM
current:6.4(5)
⇒to:7.1(1)


Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505

Hi Sakai,

You have to upgrade on 9.1(1) or 8.4(5) as this is a bug and fixed in this ios.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: