Cisco ASA Site to Site VPN ‘Using ASDM’
KB ID 0000072 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. Do the same from command line Below is a walk-through for setting up one end of a site to site VPN Tunnel using a Cisco ASA appliance – Via the ASDM console. Though if (like me) you prefer using the Command Line Interface I’ve put the commands at the end. click image for full subnet information Solution VPN Setup...
Cisco ASA Static (One to One) NAT Translation
KB ID 0000691 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access). This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public...
Cisco ASA AnyConnect VPN ‘Using ASDM’
KB ID 0000069 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. Below is a walk through for setting up a client to gateway VPN Tunnel using a Cisco Firepower ASA appliance. This was done via the ASDM console. The video was shot with ASA version 9.13(1) and ASDM 7.13(1). Suggestion: If you are setting this up for the first time, I would suggest setting it up to use the ASA’s LOCAL...
Cisco ASA AnyConnect VPN ‘Using CLI’
KB ID 0000943 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco FTD running ASA Code. Also See Cisco ASA AnyConnect VPN ‘Using ASDM’ This procedure was done on Cisco ASA (post) version 8.4, so it uses all the newer NAT commands. I’m also going to use self signed certificates so you will see this error when you attempt to connect. Solution 1. The first job is to go get the AnyConnect client package(s),...
Cisco ASA – L2TP over IPSEC VPN
KB ID 0000571 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. When Cisco released version 7 of the operating system for PIX/ASA they dropped support for the firewall acting as a PPTP VPN device. Note: If you want to use PPTP you can still terminate PPTP VPNs on a Windows server, if you enable PPTP and GRE Passthrough on the ASA. But if you want to use the native Windows VPN client you...
Cisco ASA – Port Forward a ‘Range of Ports’
KB ID 0001111 Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. This comes up on forums a lot, some applications and most phone systems require a ‘LOT’ of ports to be open. Normally thats fine you just give the internal IP a static public IP and open the ports. But what if you don’t have a spare public IP? I’ve already covered port forwarding before. Cisco PIX / ASA Port...
Cisco ASA Site To Site VPN IKEv2 “Using CLI”
KB ID 0001429 Problem Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code. You want a secure IPSEC VPN between two sites using IKEv2. Note: If the device you are connecting to does not support IKEv2 (i.e. it’s not a Cisco ASA, or it’s running code older than 8.4) then you need to go to the older version of this article; Cisco ASA 5500 Site to Site VPN IKEv1 (From CLI) Solution Before you...
ASA Local CA Depreciated: Use Windows CA
KB ID 0001616 Problem I got an email about this last night, I rarely ever use the ASA as a Local CA, But that has now been completely depreciated, (post version 9.12(x)) The documentation tells us; Local CA server is deprecated in 9.12(1), and will be removed in a later release—When ASA is configured as local CA server, it is enabled to issue digital certificates, publish Certificate Revocation Lists (CRLs), and securely revoke issued...
Bring up a VPN Tunnel From the ASA
KB ID 0001604 Problem A colleague was doing a firewall migration yesterday and I offered to sit in, in case he had any problems, one of the tasks was a VPN tunnel getting migrated, this is usually painless, (if you have control of both ends!) But in this case we didn’t, and it’s usually the case, when there’s VPN problems, the people at the {ahem} ‘less experienced,’ end of the tunnel tend to blame the...
Cisco ASA Site to Site IKEv2 VPN Static to Dynamic
KB ID 0001602 Problem Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address’ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that? The...