Solved

ASA 8.2 VPN Clean up

Posted on 2016-07-20
9
34 Views
Last Modified: 2016-07-29
Devices( ASA,Router)
                      |
@@@@@@@@@@@@
@@                            @@
  @@@@@@@@@@@
   |                              |
ASA1 -----------------ASA2

All   VPN on ASA1 and ASA2 ,but one time we have one connection up.
i need make sure all VPN config is same on both fw
what are the best commands/tools which can i use to identify all parts of VPN configs ? like cryto map/tunnel group /no nats/acl?
Is there any software/tool which can identify all the configs linked to 1 VPN ?
0
Comment
Question by:mohannitin
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 13

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41721472
If you have them setup in a failover cluster, the configuration is replicated automatically from active to standby.

To compare two configs, you can use Notepad++ and install plugin for it called Compare.
1
 
LVL 10

Expert Comment

by:Rafael
ID: 41721487
Are your ASA's in HA mode or two separate complete firewalls ?
Can you provide more details please and a clean config?

-Rafael
0
 

Author Comment

by:mohannitin
ID: 41721889
They are not in ha ,completely separate firewalls
0
 

Author Comment

by:mohannitin
ID: 41721902
What would be good  approach
1: remove all von from asa2 and copy all vpn from asa1
2. Fix existing vpn configuration 9n asa2
?
There are 113 vpn configuration
Providin configurat is difficult
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41723164
Run

'Show run crypto map'

Locate the ones that have a Peer address that no longer exist (i.e. you want removing)

I'd copy that into notepad at this point.

Fo every cryptomap entry there will be a  something like (the test in bold will probably be different on your firewall)

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

the first line shows the ACL that needs removing

show run access-list VPN-INTERESTING-TRAFFIC

Will show you, copy that into notepad

next locate the transform

show run | incl VPN-TRANSFORM

Copy that into notepad

Now you need to locate the NAT statement for this VPN tunnel (SEE MY COMMENTS BELOW, YOU NEED TO SKIP THIS BIT)

show run nat

You will have one that looks like

nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup

Copy that into notepad

Then locate the tunnel group that matches the peer in the crypto map above

show run tun

i.e.

tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *******

Now work BACKWARDS removing them

clear configure tunnel-group 123.123.123.123
!
no nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup
!
no crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
no access-list VPN-INTERESTING-TRAFFIC extended permit ip object {this[side} object {Otther-side}
!
clear configure crypto map CRYPTO-MAP 1


SORRY Just noticed your running version 8.2 your NAT statement will look different,

show run nat

look for the (your may have a different name to NO-NAT

nat (inside) 0 access-list NO-NAT

Then do a

show run access-list NO-NAT

Find the one that looks like

access-list NO_NAT permit ip {this-side} {other-side}

and remove that with a

no access-list NO_NAT permit ip {this-side} {other-side}

Repeat for each tunnel, then do the mirror image on the other side of the VPN
0
 

Accepted Solution

by:
mohannitin earned 0 total points
ID: 41724487
what i am planning to do copy all
1) Tunnel groups from both firewalls
2) Crypto Maps from both firewalls
3)  NO-NAT from both the firewalls
4) ACL compare from both firewalls
5) policy NAT statements from both the firewalls
copy them in notepad ++ and compare them
is there anything else i am missing  ?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41724780
Transform sets (unless you are using the default ones)
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41724810
IKE (v1/2) policies
0
 

Author Closing Comment

by:mohannitin
ID: 41734463
Thank guys
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now