Solved

ASA 8.2 VPN Clean up

Posted on 2016-07-20
9
62 Views
Last Modified: 2016-07-29
Devices( ASA,Router)
                      |
@@@@@@@@@@@@
@@                            @@
  @@@@@@@@@@@
   |                              |
ASA1 -----------------ASA2

All   VPN on ASA1 and ASA2 ,but one time we have one connection up.
i need make sure all VPN config is same on both fw
what are the best commands/tools which can i use to identify all parts of VPN configs ? like cryto map/tunnel group /no nats/acl?
Is there any software/tool which can identify all the configs linked to 1 VPN ?
0
Comment
Question by:mohannitin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41721472
If you have them setup in a failover cluster, the configuration is replicated automatically from active to standby.

To compare two configs, you can use Notepad++ and install plugin for it called Compare.
1
 
LVL 10

Expert Comment

by:Rafael
ID: 41721487
Are your ASA's in HA mode or two separate complete firewalls ?
Can you provide more details please and a clean config?

-Rafael
0
 

Author Comment

by:mohannitin
ID: 41721889
They are not in ha ,completely separate firewalls
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 

Author Comment

by:mohannitin
ID: 41721902
What would be good  approach
1: remove all von from asa2 and copy all vpn from asa1
2. Fix existing vpn configuration 9n asa2
?
There are 113 vpn configuration
Providin configurat is difficult
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41723164
Run

'Show run crypto map'

Locate the ones that have a Peer address that no longer exist (i.e. you want removing)

I'd copy that into notepad at this point.

Fo every cryptomap entry there will be a  something like (the test in bold will probably be different on your firewall)

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

the first line shows the ACL that needs removing

show run access-list VPN-INTERESTING-TRAFFIC

Will show you, copy that into notepad

next locate the transform

show run | incl VPN-TRANSFORM

Copy that into notepad

Now you need to locate the NAT statement for this VPN tunnel (SEE MY COMMENTS BELOW, YOU NEED TO SKIP THIS BIT)

show run nat

You will have one that looks like

nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup

Copy that into notepad

Then locate the tunnel group that matches the peer in the crypto map above

show run tun

i.e.

tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *******

Now work BACKWARDS removing them

clear configure tunnel-group 123.123.123.123
!
no nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup
!
no crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
no access-list VPN-INTERESTING-TRAFFIC extended permit ip object {this[side} object {Otther-side}
!
clear configure crypto map CRYPTO-MAP 1


SORRY Just noticed your running version 8.2 your NAT statement will look different,

show run nat

look for the (your may have a different name to NO-NAT

nat (inside) 0 access-list NO-NAT

Then do a

show run access-list NO-NAT

Find the one that looks like

access-list NO_NAT permit ip {this-side} {other-side}

and remove that with a

no access-list NO_NAT permit ip {this-side} {other-side}

Repeat for each tunnel, then do the mirror image on the other side of the VPN
0
 

Accepted Solution

by:
mohannitin earned 0 total points
ID: 41724487
what i am planning to do copy all
1) Tunnel groups from both firewalls
2) Crypto Maps from both firewalls
3)  NO-NAT from both the firewalls
4) ACL compare from both firewalls
5) policy NAT statements from both the firewalls
copy them in notepad ++ and compare them
is there anything else i am missing  ?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41724780
Transform sets (unless you are using the default ones)
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41724810
IKE (v1/2) policies
0
 

Author Closing Comment

by:mohannitin
ID: 41734463
Thank guys
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question