Solved

ASA 8.2 VPN Clean up

Posted on 2016-07-20
9
57 Views
Last Modified: 2016-07-29
Devices( ASA,Router)
                      |
@@@@@@@@@@@@
@@                            @@
  @@@@@@@@@@@
   |                              |
ASA1 -----------------ASA2

All   VPN on ASA1 and ASA2 ,but one time we have one connection up.
i need make sure all VPN config is same on both fw
what are the best commands/tools which can i use to identify all parts of VPN configs ? like cryto map/tunnel group /no nats/acl?
Is there any software/tool which can identify all the configs linked to 1 VPN ?
0
Comment
Question by:mohannitin
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41721472
If you have them setup in a failover cluster, the configuration is replicated automatically from active to standby.

To compare two configs, you can use Notepad++ and install plugin for it called Compare.
1
 
LVL 10

Expert Comment

by:Rafael
ID: 41721487
Are your ASA's in HA mode or two separate complete firewalls ?
Can you provide more details please and a clean config?

-Rafael
0
 

Author Comment

by:mohannitin
ID: 41721889
They are not in ha ,completely separate firewalls
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:mohannitin
ID: 41721902
What would be good  approach
1: remove all von from asa2 and copy all vpn from asa1
2. Fix existing vpn configuration 9n asa2
?
There are 113 vpn configuration
Providin configurat is difficult
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41723164
Run

'Show run crypto map'

Locate the ones that have a Peer address that no longer exist (i.e. you want removing)

I'd copy that into notepad at this point.

Fo every cryptomap entry there will be a  something like (the test in bold will probably be different on your firewall)

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

the first line shows the ACL that needs removing

show run access-list VPN-INTERESTING-TRAFFIC

Will show you, copy that into notepad

next locate the transform

show run | incl VPN-TRANSFORM

Copy that into notepad

Now you need to locate the NAT statement for this VPN tunnel (SEE MY COMMENTS BELOW, YOU NEED TO SKIP THIS BIT)

show run nat

You will have one that looks like

nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup

Copy that into notepad

Then locate the tunnel group that matches the peer in the crypto map above

show run tun

i.e.

tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *******

Now work BACKWARDS removing them

clear configure tunnel-group 123.123.123.123
!
no nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup
!
no crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
no access-list VPN-INTERESTING-TRAFFIC extended permit ip object {this[side} object {Otther-side}
!
clear configure crypto map CRYPTO-MAP 1


SORRY Just noticed your running version 8.2 your NAT statement will look different,

show run nat

look for the (your may have a different name to NO-NAT

nat (inside) 0 access-list NO-NAT

Then do a

show run access-list NO-NAT

Find the one that looks like

access-list NO_NAT permit ip {this-side} {other-side}

and remove that with a

no access-list NO_NAT permit ip {this-side} {other-side}

Repeat for each tunnel, then do the mirror image on the other side of the VPN
0
 

Accepted Solution

by:
mohannitin earned 0 total points
ID: 41724487
what i am planning to do copy all
1) Tunnel groups from both firewalls
2) Crypto Maps from both firewalls
3)  NO-NAT from both the firewalls
4) ACL compare from both firewalls
5) policy NAT statements from both the firewalls
copy them in notepad ++ and compare them
is there anything else i am missing  ?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41724780
Transform sets (unless you are using the default ones)
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41724810
IKE (v1/2) policies
0
 

Author Closing Comment

by:mohannitin
ID: 41734463
Thank guys
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question