Cisco ASA Site To Site VPN IKEv2 “Using CLI”
May06

Cisco ASA Site To Site VPN IKEv2 “Using CLI”

KB ID 0001429 Problem You want a secure IPSEC VPN between two sites using IKEv2. Note: If the device you are connecting to does not support IKEv2 (i.e. its not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article; Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI) Solution Before you start – you need to ask yourself “Do I already have any IPSEC VPN’s...

Read More
Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall
May06

Cisco ASA: Allow VPN Traffic “Through” A Cisco Firewall

KB ID 0001428 Problem I got asked to put in a VPN for a client, this week, it went from a simple site to site, to a site to site with a Fortigate firewall at one end, to a VPN from and ASA to a Fortigate ‘through’ another ASA.  It’s been a few years since I had to tunnel  ‘through’ a firewall, and experience tells me, if you don’t have control of BOTH ends of a new VPN tunnel, anything that stops...

Read More
Cisco ASA: Group-Lock WARNING
Apr12

Cisco ASA: Group-Lock WARNING

KB ID 0001423 Problem You will see this error if you are pasting configuration into a Cisco firewall. This week I was manually converting an old 8.2 version firewalls configuration, to run on a modern (version 9) firewall, when I saw this; Petes-ASA(config)# username fred.bloggs attributes Petes-ASA(config-username)# group-lock value SOME-VALUE WARNING: tunnel-group SOME-VALUE does not exist Solution The reason you are seeing this...

Read More
Cisco ASA 5506-X: Bridged BVI Interface
Apr09

Cisco ASA 5506-X: Bridged BVI Interface

KB ID 0001422 Problem When the ASA 5506-X appeared there was much grumbling, “This is not a replacement for the ASA 5505, I need to buy a switch as well!”  and “I have six ports on the firewall I cant use” etc. While I understand that, and if truth be told the ASA 5505, was SUPPOSED to be used in SOHO environments where an all in one device, (with PoE) was a great fit. The problem was, people started throwing...

Read More
Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’
Apr06

Cisco ASA: ‘Received an un-encrypted INVALID_COOKIE notify message, dropping’

KB ID 0001421 Problem Saw this in a forum today, and knew what it was straight away! While attempting to get a VPN tunnel up from a Cisco ASA (5508-x) to a Sonicwall firewall this was there debug output; Apr 06 00:45:21 [IKEv1]IP = x.x.x.x, IKE Initiator: New Phase 1, Intf Lan, IKE Peer x.x.x.x local Proxy Address 192.168.90.150, remote Proxy Address 10.252.1.1, Crypto map (Internet_map) Apr 06 00:45:21 [IKEv1 DEBUG]IP = x.x.x.x,...

Read More
Cisco ASA: Updating and Copying files from USB
Dec05

Cisco ASA: Updating and Copying files from USB

KB ID 0001377 Problem Cisco ASA firewalls have had USB sockets on them for a while, but a dig into the documentation only yielded, ‘for use in future releases’. Well they are working now! Note: Firewall shown is a 5516-X (running version 9.8(1)) Solution Your drive needs to be formatted as FAT (not NTFS), I’m going to update/install some AnyConnect client software, but there’s nothing to stop you uploading a...

Read More