I will all your labs in virl , i had a problem the labs disappeard , contacted the virl community but have not got any answer.
Hi guys !
I give up nothing works GNS3 cant save config, and in VIRL my workspace disappear ??? i am using vm Workstation …so anybody knows ?
i will give a last try …i will go to DMvpn for my ccnp security later on…
Thanks for letting me know about ASAv. I’ll find out if they have a workstation version. If so, I’ll try to set up that environment on my PC, and see how that works.
Thanks again, Amin
Hmm what exactly do you mean that your workspace dissapears in Virl? I never had any issues with it so far.
I have some problem for asa ipsec vpn and nat integration. please see my network design. pc1 connect to pc2 with VPN ipsec tunnel and then pc1 connect to router 3 loopback interface 22.214.171.124 network with NAT. Now pc1 and pc2 tunnel is ok but asa can’t translate NAT address for pc1 and pc1 can’t go to router 3 (network 126.96.36.199/24). I would like to know, could I able to use NAT and VPN for one local network.
It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).
You can use this example for PAT:
The only thing left to do is to create an exception for your VPN traffic, like this:
object network LOCAL_SUBNET subnet 192.168.2.0 255.255.255.0 object network REMOTE_SUBNET subnet 192.168.39.0 255.255.255.0 nat (LOCAL_SUBNET,OUTSIDE) source static LOCAL_SUBNET LOCAL_SUBNET destination static REMOTE_SUBNET REMOTE_SUBNET
This tells the ASA not to translate traffic from the local to the remote subnet.
If you are also doing NAT on R2 then you’ll need to add a deny statement in the access-list that you use for NAT that matches traffic between 192.168.39.0/24 and 192.168.2.0/24.
Hope this helps!
As per your IPsec lesson…The IPsec (ESP,AH)protocols support two different modes:
So, How we will define that IPsec ESP/AH will use either Transport or Tunnel mode and what is the default mode ??
And also IKEV1 phase-1 tunnel can be completed using two different modes:
where we will define that will use either Aggressive or Main mode ??
Could you please explain a little bit .Thx
What is the difference between below two commands? Please give some more clarification on it.Thanks
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN
Aggressive mode can be configured in the crypto map:
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive
And transport mode in the transform set:
ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ? configure mode commands/options: transport mode transport
The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.
What do the following two commands mean for IKE phase-1 and IKE Phase-2 :
ASA1(config-ikev1-policy)# lifetime 4800
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000
I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.
Thanks Rene.So the default mode Main and Tunnel . If we want to change it to Aggressive & transport mode then have to configure like way, right ??
These lifetimes specify when we regenerate the keying material, they don’t specify the “idle” timeout. That’s done with another command:
ASA1# show run all | incl vpn-idle vpn-idle-timeout 30
By default, after 30 minutes of inactivity we tear down the SA.
The default mode is indeed “main mode” and “tunnel mode”. You can change this with the commands I supplied in the previous post.
Thanks for your reply. I have one more question that at VPN GW which one execute first - Encryption then Encapsulating or vice -versa .Thanks a lot
For a detailed answer, take a look at this Cisco example:
What I prefer to do, is to use packet tracer on the ASA:
ASA1# packet-tracer input INSIDE tcp 192.168.1.1 54411 188.8.131.52 80
If you use this then it will show you exactly what steps it takes and in what order.
What if , if we dont use the command “ASA1(config)# crypto isakmp identity address”
Somehow, your ASAs have to be able to identify each other so that you use the correct tunnel-group. This command makes sure that the IP address is used for identification.
ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600 ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
Lets say already there is a cryptomap called MY_CRYPTO_MAP and we want to create a site to site vpn to another site .
Is it ok If I create MY_CRYPTO_MAP_2 same as MY_CRYPTO_MAP
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 match address LAN1_LAN2 ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set ikev1 transform-set MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set security-association lifetime seconds 3600 ASA1(config)# crypto map MY_CRYPTO_MAP_2 interface OUTSIDE
In the examples, shouldn’t there be a no-nat?
Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.
nat (inside,outside) source static local-network local-network destination static remote-network remote-network no-proxy-arp route
@Sims You can only apply one crypto-map to your interface. You should create one crypto-map with different statement numbers for each peer. Something like this:
ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP 20 match address LAN1_LAN2 ASA1(config)# crypto map MY_CRYPTO_MAP 20 set peer 10.10.10.3 ASA1(config)# crypto map MY_CRYPTO_MAP 20 set ikev1 transform-set MY_TRANSFORM_SET ASA1(config)# crypto map MY_CRYPTO_MAP 20 set security-association lifetime seconds 3600
@Ryan if you use NAT then yes, you will need to exempt your site-to-site or remote VPN traffic or it will be translated. Here’s an example:
nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static VPN_POOL VPN_POOL
Basically it means that whenever traffic from the INSIDE destined to VPN_POOL goes from INSIDE > OUTSIDE that it will be translated to its own address. In other words, no NAT.