Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA 8.2 VPN Clean up

Posted on 2016-07-20
9
Medium Priority
?
84 Views
Last Modified: 2016-07-29
Devices( ASA,Router)
                      |
@@@@@@@@@@@@
@@                            @@
  @@@@@@@@@@@
   |                              |
ASA1 -----------------ASA2

All   VPN on ASA1 and ASA2 ,but one time we have one connection up.
i need make sure all VPN config is same on both fw
what are the best commands/tools which can i use to identify all parts of VPN configs ? like cryto map/tunnel group /no nats/acl?
Is there any software/tool which can identify all the configs linked to 1 VPN ?
0
Comment
Question by:mohannitin
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 1000 total points
ID: 41721472
If you have them setup in a failover cluster, the configuration is replicated automatically from active to standby.

To compare two configs, you can use Notepad++ and install plugin for it called Compare.
1
 
LVL 10

Expert Comment

by:Rafael
ID: 41721487
Are your ASA's in HA mode or two separate complete firewalls ?
Can you provide more details please and a clean config?

-Rafael
0
 

Author Comment

by:mohannitin
ID: 41721889
They are not in ha ,completely separate firewalls
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 

Author Comment

by:mohannitin
ID: 41721902
What would be good  approach
1: remove all von from asa2 and copy all vpn from asa1
2. Fix existing vpn configuration 9n asa2
?
There are 113 vpn configuration
Providin configurat is difficult
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 41723164
Run

'Show run crypto map'

Locate the ones that have a Peer address that no longer exist (i.e. you want removing)

I'd copy that into notepad at this point.

Fo every cryptomap entry there will be a  something like (the test in bold will probably be different on your firewall)

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

the first line shows the ACL that needs removing

show run access-list VPN-INTERESTING-TRAFFIC

Will show you, copy that into notepad

next locate the transform

show run | incl VPN-TRANSFORM

Copy that into notepad

Now you need to locate the NAT statement for this VPN tunnel (SEE MY COMMENTS BELOW, YOU NEED TO SKIP THIS BIT)

show run nat

You will have one that looks like

nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup

Copy that into notepad

Then locate the tunnel group that matches the peer in the crypto map above

show run tun

i.e.

tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *******

Now work BACKWARDS removing them

clear configure tunnel-group 123.123.123.123
!
no nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup
!
no crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
no access-list VPN-INTERESTING-TRAFFIC extended permit ip object {this[side} object {Otther-side}
!
clear configure crypto map CRYPTO-MAP 1


SORRY Just noticed your running version 8.2 your NAT statement will look different,

show run nat

look for the (your may have a different name to NO-NAT

nat (inside) 0 access-list NO-NAT

Then do a

show run access-list NO-NAT

Find the one that looks like

access-list NO_NAT permit ip {this-side} {other-side}

and remove that with a

no access-list NO_NAT permit ip {this-side} {other-side}

Repeat for each tunnel, then do the mirror image on the other side of the VPN
0
 

Accepted Solution

by:
mohannitin earned 0 total points
ID: 41724487
what i am planning to do copy all
1) Tunnel groups from both firewalls
2) Crypto Maps from both firewalls
3)  NO-NAT from both the firewalls
4) ACL compare from both firewalls
5) policy NAT statements from both the firewalls
copy them in notepad ++ and compare them
is there anything else i am missing  ?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 1000 total points
ID: 41724780
Transform sets (unless you are using the default ones)
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41724810
IKE (v1/2) policies
0
 

Author Closing Comment

by:mohannitin
ID: 41734463
Thank guys
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question