Solved

ASA 8.2 VPN Clean up

Posted on 2016-07-20
9
56 Views
Last Modified: 2016-07-29
Devices( ASA,Router)
                      |
@@@@@@@@@@@@
@@                            @@
  @@@@@@@@@@@
   |                              |
ASA1 -----------------ASA2

All   VPN on ASA1 and ASA2 ,but one time we have one connection up.
i need make sure all VPN config is same on both fw
what are the best commands/tools which can i use to identify all parts of VPN configs ? like cryto map/tunnel group /no nats/acl?
Is there any software/tool which can identify all the configs linked to 1 VPN ?
0
Comment
Question by:mohannitin
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 14

Assisted Solution

by:SIM50
SIM50 earned 250 total points
ID: 41721472
If you have them setup in a failover cluster, the configuration is replicated automatically from active to standby.

To compare two configs, you can use Notepad++ and install plugin for it called Compare.
1
 
LVL 10

Expert Comment

by:Rafael
ID: 41721487
Are your ASA's in HA mode or two separate complete firewalls ?
Can you provide more details please and a clean config?

-Rafael
0
 

Author Comment

by:mohannitin
ID: 41721889
They are not in ha ,completely separate firewalls
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:mohannitin
ID: 41721902
What would be good  approach
1: remove all von from asa2 and copy all vpn from asa1
2. Fix existing vpn configuration 9n asa2
?
There are 113 vpn configuration
Providin configurat is difficult
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41723164
Run

'Show run crypto map'

Locate the ones that have a Peer address that no longer exist (i.e. you want removing)

I'd copy that into notepad at this point.

Fo every cryptomap entry there will be a  something like (the test in bold will probably be different on your firewall)

crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs
crypto map CRYPTO-MAP 1 set peer 123.123.123.123
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM

the first line shows the ACL that needs removing

show run access-list VPN-INTERESTING-TRAFFIC

Will show you, copy that into notepad

next locate the transform

show run | incl VPN-TRANSFORM

Copy that into notepad

Now you need to locate the NAT statement for this VPN tunnel (SEE MY COMMENTS BELOW, YOU NEED TO SKIP THIS BIT)

show run nat

You will have one that looks like

nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup

Copy that into notepad

Then locate the tunnel group that matches the peer in the crypto map above

show run tun

i.e.

tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *******

Now work BACKWARDS removing them

clear configure tunnel-group 123.123.123.123
!
no nat (inside,outside) source static {this-side} {this-side} destination static {other-side} {other-side} no-proxy-arp route-lookup
!
no crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
no access-list VPN-INTERESTING-TRAFFIC extended permit ip object {this[side} object {Otther-side}
!
clear configure crypto map CRYPTO-MAP 1


SORRY Just noticed your running version 8.2 your NAT statement will look different,

show run nat

look for the (your may have a different name to NO-NAT

nat (inside) 0 access-list NO-NAT

Then do a

show run access-list NO-NAT

Find the one that looks like

access-list NO_NAT permit ip {this-side} {other-side}

and remove that with a

no access-list NO_NAT permit ip {this-side} {other-side}

Repeat for each tunnel, then do the mirror image on the other side of the VPN
0
 

Accepted Solution

by:
mohannitin earned 0 total points
ID: 41724487
what i am planning to do copy all
1) Tunnel groups from both firewalls
2) Crypto Maps from both firewalls
3)  NO-NAT from both the firewalls
4) ACL compare from both firewalls
5) policy NAT statements from both the firewalls
copy them in notepad ++ and compare them
is there anything else i am missing  ?
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 250 total points
ID: 41724780
Transform sets (unless you are using the default ones)
0
 
LVL 14

Expert Comment

by:SIM50
ID: 41724810
IKE (v1/2) policies
0
 

Author Closing Comment

by:mohannitin
ID: 41734463
Thank guys
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question