configure Phase1
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Troubleshooting:
sh run crypto isakmp
sh isakmp policy
sh isakmp sa :Show connected peers
sh vpn-sessiondb detail l2l
deb cryto isakmp 5
clear crypto isakmp :This will clear all of the SA’s
To confirm that the IPSEC traffic is reaching the ASA, do a capture for all UDP 500 traffic:
On both ends:
access-list cap extended permit ip host {local public ip} host {remote public ip}
access-list cap extended permit ip host {remote public ip} host {local public ip}
Create a capture:
cap cap access-list cap int outside
Display the results of the capture:
sh cap cap detail
To clear the capture log:
clear cap cap
If you don’t know the pre-shared key(s):
more system:run | b tunnel-gr
Configure Phase2
These two should be identical and the opposite (IPs/Subnets) on the other end:
access-list nonat extended permit ip {local} {remote}
access-list nonat extended permit ip {local} {remote}
access-list uk extended permit ip {local} {remote}
access-list uk extended permit ip {local} {remote}
nat (inside) 0 access-list nonat
crypto ipsec transform-set dfwvpn esp-des esp-md5-hmac
crypto map vpnmap 20 match address uk
crypto map vpnmap 20 set peer {target public ip}
crypto map vpnmap 20 set transform-set ukvpn
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
tunnel-group {target public ip} type ipsec-l2l
tunnel-group {target public ip} ipsec-attributes
pre-shared-key {key}
Troubleshooting:
sh crypto map
sh isakmp
sh isakmp policy
sh access-list
sh cry ipsec sa :Show’s ipsec peers
sh crypto ipsec transform-set
sh crypto map :shows crypto maps
sh run | inc route :shows only the routes in the running config
sh access-list :shows access lists
sh arp :Shows the arp table
sh run | in access-group :Shows only the access-groups in the running config
ping in :pings using the internal interface (A good way to bring up the tunnel)
management-access inside :The inside interface of the ASA cannot be pinged from the other end of the tunnel unless the management-access command is configured in the global configuration mode.
clear cry ipsec sa peer :Clears ONLY the one peer
clear cry isa :Clears ALL peers
clear arp :Clears the arp table
deb cry isa 200 : Debugs ISA
deb cry ipsec 200 : Debugs IPSEC
debug crypto ipsec
debug crypto isakmp
To clear configurations (in configuration mode):
clear configure crypto map vpnmap 20 :Clears crypto map 20
clear configure tunnel-group :Clears the tunnel-group
IMPORTANT! USE THIS COMMAND ESPECIALLY ON PIX IOS UPGRADE!!!
This command allows packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance. IPsec tunnels that are terminated on the security appliance are likely to fail if one of these commands is not enabled.
sysopt connection permit-ipsec :OLD
sysopt connection permit-vpn :NEW
===============================================================================
BUT ALERT:
They fixed an older bug in 7.2(4) as per the Bug Tooklit:
Symptom:
Commands that are system defaults do not show up in the
typical “show running-config” output. The purpose of the “show running-config all” command
is to allow all configured commands both default and non-default to be viewed in one output.
For PIX/ASA, the output of the command “show running-config all” should
include the the configured sysopt commands such as
“sysopt connection tcpmss 1380″ which at present, it does not.
ciscoasa# sh run all | incl sys
ciscoasa# sh run all | incl sysopt
ciscoasa#
Conditions:
Some “sysopt” commands are on as system defaults and do not show in the running configuration output. However, the “show running-config all” output is supposed to showall commands in the running configuration including the defaults like some sysopt commands. This issue is purely cosmetic and does not affect the operation of the PIX/ASA.
No comments:
Post a Comment