01-29-2013 07:35 AM - edited 03-11-2019 05:53 PM
Learn and ask questions regarding Firewall Security and Troubleshooting VPN for Adaptive Security Appliance(ASA) . This event will be a continuation of the live Facebook Forum.
Bhavik Joshi is a Network Consulting Engineer with Service Provider Delivery team in Bangalore and has more than 3 years of experience working with security solutions implementation and troubleshooting network issues.
He has been actively working on multi-vendor security device and migration of multi-vendor security devices with cisco security solution. He also holds a CCIE Security certification #26263.
Where:
Please go to Cisco Support Facebook Page on the event day: http://www.facebook.com/CiscoSupportCommunity
When:
8:00 AM PST (San Francisco; UTC -7 hrs)
This corresponds to:
5:00 PM CET(Paris; UTC +1 hr)
9:00 PM PKT (Pakistan, UTC +5 hrs)
9:30 PM IST (India; UTC +5:30 hrs)
11:00 PM (Indonesia; UTC +7 hrs)
What is Facebook Forum?
Facebook forums are online conversations, held at a pre-arranged time on our Facebook page. It gives you an opportunity to interact with a live Cisco expert and get more information about a particular technology, service or product.
01-29-2013 10:50 AM
Hi Bhavik ,
I'm happy that this topic came up in Ask The Expert section.Most of my work involves setting up Site to Site VPN tunnels to securely access client locations. We have a Cisco ASA 5505 in place. Is it possible that I can restrict communication from client end to our location through the tunnel , ie , restrict access for client location machines from accessing our network? Can I use access lists for the same ? What access lists should I be configuring ?
Regards,
Anup
02-01-2013 11:07 AM
You can actually do that very easily using the ACL for the the site to site VPN. You can even get it down to the port level.
02-01-2013 09:41 PM
Hi Mohammad,
Great ! I should be reconfiguring the access lists which defines the " interesting" traffic through the tunnel , right?
But I am just wondering , Let's say if I have the following setup
LAN1 (192.168.1.X)->(192.168.1.1- Inside) MainASA (Outside -1.1.1.1) ----- Internet -------(Outside -2.2.2.2) BranchASA ( Inside - 192.168.2.1) ->LAN 2(192.168.2.X)
When I configure access lists for intresting traffic in Crypto map configuration , Is it necessary that I should be allowing traffic between ASA Inside IP address to establish a tunnel or since we are already specifying the Remote Peer details with the public IP of the ASA on the other end , allowing traffic to ASA Inside IP address is not required?
If I need to meet the follwing conidtions
1. All nodes in the main location should be able to access all nodes in Branch location
2. Branch location nodes should only be able access node 192.168.1.100 in Main location
Would the access list for interesting traffic to be defined in Cryptomap configuratios be
Main location
access-list MAIN2BRANCH extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Branch location
access-list BRANCH2MAIN extended permit ip 192.168.2.0 255.255.255.0 host 192.168.1.100
Would that also prevent the return traffic (lets say , ping reply ) from 192.168.2.X network when trying to access any node on Branch from Main location , which is not desired ?
Please help !
Regards,
Anup
02-04-2013 12:20 PM
Well what you can do is try the VPN filter option, check out this link.
02-04-2013 05:54 AM
Hi Anup,
You can use the ACL with restricted source and destination IP. This ACL you have to use with you match address statement with the used crypto map
05-02-2013 11:44 PM
I have an ASA 5550 and the console port suddenly stopped allowing me to console and the management port no longer allows me to conole in. So that there is now question, The network cables and console cables work fine on other ASA's and network devices. I tried to reset the device by pushing the reset button but it doesn't appear to do anything, even after I reboot. Any help would be appreciated.
01-30-2013 04:23 AM
Hello Bhavik ,
I'm interested in learning how to troubleshoot Site-To-Site VPN's, IPSec and Web VPN. What material would you recommend to assist in this adventure.
Thanks
John
02-01-2013 11:08 AM
This is a pretty cool site for troubleshooting VPN's
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
02-01-2013 09:05 PM
Hi Mohamad,
That's a very useful one ! Thanks for sharing !
Regards,
Anup
02-04-2013 06:03 AM
Hi John,
There are too many technotes and debugging documents available on cisco websites, also refer books like Cisco VPN Troubleshooting & CCNP Security VPN official Cert Guide
01-30-2013 05:38 AM
Hi Bhavik,
I have to configure two cisco ASA 5520 in a redundant mode with IPv4 & IPv6 support for our VPN clients (runs Cisco ANy connect). My questions are
Thanks !
Regards,
Umair
02-04-2013 06:09 AM
Hi Syed,
Please refer the cisco document given below on the link. hope it help you to clear you doubts.
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/ha_active_active.pdf
01-31-2013 12:46 AM
Hi Bhavik,
My ASA5505 does not work properly when I click AJAX button; it should reload the new pages when I changed the contents. But not responding and nothing happen. I checked through the Cisco support community, I found some questions and answers related this problem, but not quietly solvedas the following links;
ASA5505 Clientless SSL and Ajax issue
https://supportforums.cisco.com/message/3187376#3187376
CISCO ASA 5505 SSL VPN not able to display web pages properly with
Javascript
https://supportforums.cisco.com/message/3143207#3143207
WebVPN - SSL Portal - URL Rewrite
https://supportforums.cisco.com/message/3609935#3609935
CSCub09280 ASA Content rewrite HTML content was treated as ajax response
CSCtk95435 ASA rewriter: radcontrols based AJAX/ASP website not working properly
My question is: if I update the ASA-5505's ASA OS and the ASDM,
that would fix the problem?
Please help me!!
Here is the current ASA OS and ASDM version and I will try to the update version.
Cisco ASA-5505
ASA OS
current:8.4(2)
⇒to:9.1(1)
ASDM
current:6.4(5)
⇒to:7.1(1)
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505
02-04-2013 06:17 AM
Hi Sakai,
You have to upgrade on 9.1(1) or 8.4(5) as this is a bug and fixed in this ios.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: