Cannot Access / Open ASDM

Cannot Access / Open ASDM

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem 1. The ASDM runs using Java make sure the machine has Java installed. 2. Make sure the internet browser you are using is supported: Operating System Browser Sun Java SE Plug-in1 Internet Explorer Firefox2 Safari Microsoft Windows (English and Japanese): 7 Vista 2008 Server XP 6.0 or later 1.5 or later No support 6.0 Apple Macintosh OS X: 10.6 10.5 10.4 No support 1.5 or later 2.0 or later 6.0 Red Hat Enterprise Linux 5 (GNOME or KDE): Desktop Desktop with Workstation N/A 1.5 or later N/A 6.0 Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com. Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences. 3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common "gotcha"! 4. Can another machine access the ASDM? 5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device. Make sure the ASA is configured correctly, and your PC is "allowed" access 1. Connect to the firewall using either SSH, Telnet, or via the Console Cable. 2. Log into the firewall, go to enable mode > Enter the enable password.

Type help or '?' for a list of available commands. PetesASA> PetesASA> en Password: ******** PetesASA#

3. The ASDM is enabled with the command "http server enabled", to make sure that's there issue a "show run http" command"

PetesASA# show run http http server enable http 10.254.254.0 255.255.255.0 inside http 123.123.123.123 255.255.255.255 outside

Note: if the command is NOT there, you need to issue the following three commands:

PetesASA# configure terminal PetesASA(config)# http server enable PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

Note: If you see a number after the command e.g. "http server enable 2456" then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you're port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

PetesASA# configure terminal PetesASA(config)# http 10.254.254.5 255.255.255.255 inside PetesASA(config)# http 10.254.254.0 255.255.255.0 inside PetesASA(config)# http 123.123.123.123 255.255.255.255 outside PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

PetesASA# show run asdm asdm image disk0:/asdm-631.bin Note: on a Cisco PIX the results will look like.. PetesPIX# show run asdm asdm image flash:/asdm-501.bin

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a "show flash" command.

PetesASA# show flash --#-- --length-- -----date/time------ path 142 15943680 May 08 2010 18:10:42 asa831-k8.bin 144 14240396 May 08 2010 18:11:50 asdm-631.bin 3 2048 Jul 21 2009 12:04:26 log 6 2048 Apr 28 2010 15:08:32 crypto_archive 163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin 164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin 147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg 148 2048 Jul 21 2009 12:04:54 sdesktop 150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg 127135744 bytes total (29583360 bytes free)

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions. Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that's listed in your flash memory).

PetesASA# configure terminal PetesASA(config)# asdm image disk0:/asdm-631.bin PetesASA(config)# write mem Building configuration... Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec) [OK] PetesASA(config)#

RDP to Multiple Servers with a Cisco PIX/ASA Firewall

RDP to Multiple Servers with a Cisco PIX/ASA Firewall

Problem

You want to connect via "Remote Desktop" to multiple servers behind your firewall. To do this you have three options.

Solution

Option 1 (Use if you have multiple free Public IP addresses) Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode", and create a names entity for each Servers public and Private Address

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# name 192.168.1.1 Server1-Internal Petes-ASA(config)# name 192.168.1.2 Server2-Internal Petes-ASA(config)# name 123.123.123.123 Server1-External Petes-ASA(config)# name 123.123.123.124 Server2-External

Now Allow RDP to both of the servers with an Access con troll list and apply that access con troll list to the outside interface (Note if you already have in inbound ACL simply substitute the name "inbound" for yours.

Petes-ASA(config)# access-list inbound extended permit tcp any host Server1-External eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any host Server2-External eq 3389 Petes-ASA(config)# access-group inbound in interface outside

Option 2 (Uses Port Forwarding and uses a different port for each server). To deploy this option the ASA will accept the connection for each server on a different port, to do this each server must listen on a different port. Connect to the firewall, go to enable mode, then go to "Configure Terminal Mode" then allow each port you are going to use (in this case 3389 and 3390)

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390

Then Port Forward those ports to the correct internal servers.

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255 Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3390 netmask 255.255.255.255

Option 3 (Uses Port Forwarding and uses a different port for each server). This differs from option 2 because in this example the firewall will translate each incoming port to RDP 3389 and sent it to the correct Server.

Petes-ASA> en Password: ********* Petes-ASA# Petes-ASA#configure terminal Petes-ASA(config)# Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3389 Petes-ASA(config)# access-list inbound extended permit tcp any interface outside eq 3390

Then Port Forward AND TRANSLATE those ports to the correct internal servers.

Petes-ASA(config)# static (inside,outside) tcp interface 3389 192.168.1.1 3389 netmask 255.255.255.255 Petes-ASA(config)# static (inside,outside) tcp interface 3390 192.168.1.2 3389 netmask 255.255.255.255

Cisco PIX / ASA Port Forwarding Using Command Line, ASDM and PDM

Problem

Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 for the new syntax go here. Cisco PIX/ASA Port forwarding (Pre Version 8.3) Port forwarding on Cisco firewall's can be a little difficult to get your head around, to better understand what is going on remember in the "World of Cisco" you need to remember two things..... 1. NAT Means translate Many addresses to FEW Addresses 2. PAT Means translate many addresses to ONE Address. Why is that important you ask? Well most networking types assume NAT is translating one address to many,BUT on a Cisco device this is PAT, and it uses (as the name implies) port numbers to track everything. e.g. the first connection out might be seen on the firewall as 123.123.123.123:1026 and the second connection outbound might be seen as 123.123.123.123:2049 so when the traffic comes back the firewall knows where to send it. Fair enough but what has that got to do with Port Forwarding? Well you can use the exact same system to lock a port to an IP address - so if only one port can go to one IP address then that's going to give you port forwarding :) To make matters more confusing (sorry) you configure PAT in the NAT settings, for this very reason it confuses the hell out of a lot of people and the GUI is not intuitive for configuring Port forwarding (the ADSM is better than the old PDM) but most people prefer to use command line to do port forwarding. Below you will find Option 1 Use Command Line Interface Option 2 Use ASDM (PIX v7 and ASA Only) Option 3 Use PDM (PIX v6 Only)

Solution

Option 1 Use the Command Line to Port Forward (pre version 8.3) 1 Port to 1 IP Address   Warning Notice User Access Verification Password: Type help or '?' for a list of available commands. firewall> 1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.1 and Its a mail server so I want to Forward all TCP Port 25 traffic to it. connect to the Firewall via Console/Telnet or SSH firewall> enable Password: ******** firewall# 2. Enter enable mode, and enter the enable mode password. firewall# configure terminal firewall(config)# 3. Now we need to go to configuration mode. firewall(config)#access-list inbound permit tcp any interface outside eq smtp firewall(config)# 4. Before we can configure port forwarding we need to allow the traffic (this is a firewall after all), to allow traffic you need an access list. firewall(config)#access-group inbound in interface outside firewall(config)# 5. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command firewall(config)#static (inside,outside) tcp interface smtp 10.254.254.1 smtp netmask 255.255.255.255 firewall(config)# 6. Lastly the command that actually does the port forwarding. (static command) firewall(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] firewall(config)# 7. Don't forget to save your hard work. (write memory)   Option 2 Use the ASDM (PIX V7 and ASA5500) 1 Port to 1 IP Address   1. As above you will need to know the port and the IP to forward it to, Launch the ASDM, Select Configuration > Security Policy > Then either Rule Add, or right click the incoming rules and select "Add Access Rule" 2. Interface = Outside > Direction = Incoming > Action = Permit > Source = Any > Destination, Type = Interface IP, Interface = Outside > Protocol = TCP > Destination Port Source = smtp > OK > Apply. 3. Back at the main screen select Configuration > NAT > Add, or Right Click an Existing mapping and click "Add Static NAT Rule" 4. Real Address Interface = Inside > IP Address = 10.254.254.1 > Netmask = 255.255.255.255 > Static Translation Interface = outside > IP Address = (Interface IP) > Tick "Enable Port Translation (PAT) > Protocol = TCP > Original Port = smtp > Translated Port =smtp > OK > Apply. 5. File > "Save Running Configuration to Flash." . Option 3 Use the PIX Device Manager (PIX Version 6 Only) 1 Port to 1 IP Address   1. As above you will need to know the port and the IP to forward it to, Launch the PIX Device manager, Select Configuration > Access Rules > Then either click "Rule"s > Add or Right click an incoming rule and select > "Insert Before" or "Insert After". 2. Under the "Action" select "Permit", Under Source Host/Network Select "Outside", and all the zeros, Under Destination Host/Network Select "Inside" and all the zeros then set the "Destination Port" to smtp > OK > Apply. 3, Now select the "Translation Rules" tab, Rules Add or Right click a rule and select "Insert before" or "Insert After". 4. In this example I've set it to forward all TCP Port 25 traffic to 10.254.254.10 (NOTE: I've blurred out the public IP Address you will need to add this also. > OK > Apply. 5. Finally save your work > File > "Save Running Configuration to Flash." > Exit.   Cisco PIX/ASA Port forwarding (Post Version 8.3)   Note: Port forwarding has changed on PIX/ASA devices running OS 8.3 and above,in regards to port forwarding. There is no longer a global command, for a full rundown of the changes click here. If you issue a global command after version 8.3 you will see this error, ERROR: This syntax of nat command has been deprecated. Please refer to "help nat" command for more details. From Command Line Warning Notice User Access Verification Password: Type help or '?' for a list of available commands. PetesASA> 1. First things first, you will need to know what port you want to forward, and where you want to forward it, for this example We will assume I've got a server at 10.254.254.5 and Its a mail server so I want to Forward all TCP Port 80 traffic (HTTP) to it. connect to the Firewall via Console/Telnet or SSH PetesASA> enable Password: ******** PetesASA# 2. Enter enable mode, and enter the enable mode password. PetesASA# configure terminal PetesASA(config)# 3. Now we need to go to configuration mode. PetesASA# configure terminal PetesASA(config)# object network Internal_Web_Server PetesASA(config-network-object)# host 10.254.254.5 4. Create an object for the web server that the traffic is going to be forwarded to. PetesASA(config-network-object)# nat (inside,outside) static interface service tcp http http PetesASA(config-network-object)# exit 5. Then create a NAT translation for the port to be forwarded. then you can exit the network object prompt. PetesASA(config)# access-list inbound permit tcp any object Internal_Web_Server eq http 6. Now you need to allow the http traffic in PetesASA(config)# access-group inbound in interface outside PetesASA(config)# 7. Remember access-lists WONT work if you don't apply them to an interface, so we apply this one to the outside interface with an access-group command PetesASA(config)# write memory Building configuration... Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] PetesASA(config)# 8. Don't forget to save your hard work. (write memory)

Backup and Restore a Cisco Firewall.

Problem

There are many different versions of PIX and ASA Firewall's, if you want to get a backup of the configuration and save it elsewhere - so in the event of a failure, (or more likely someone tinkering and breaking the firewall). you will be able to recall and restore that configuration. By far the easiest is to use a TFTP server - and it works on ALL versions, so learn it once and use it many times. Note: Some people flatly refuse to use command line, if that's you, you can also backup and restore from the ASDM click here. OK for starters you need to get a TFTP server - while this sounds very grand, its a little piece of software that will run on just about any windows PC, I use an application called 3CDeamon and I've put information on how to get it and how to set it up (about 5 min's work) HERE. So I'll assume you have the TFTP server installed and running and you know what IP address the machine that's running it, is using. NOTE: TFTP uses TCP Port 69 if you have firewall's in between the one you are working on, and the TFTPserver then this port needs to be open.

Solution

Backup 1. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. ciscoasa> en Password:********* ciscoasa# 2. To back up the firewall you need to specify the IP address of where you want to send it(i.e. the TFTP server), what you want to call the backup, and you tie them together with a "Write Net" command. The syntax is, write net {ip address}:{filename}  ciscoasa# write net 172.254.1.2:firewall_backup Building configuration... INFO: Default tftp-server not set, using highest security interface Cryptochecksum: 85c211cb 3099b392 9e7206e6 e1548bcd ! [OK] ciscoasa# 3. On your TFTP server you will see that a file has been received. 4. If you look in the TFTP server root directory you will find the file, though it has no file extension you can open it and view it using a text editor like notepad or wordpad, just remember NOT to save it with a txt or rtf extension when you close it again. Keep it safe you will need it if you ever want to restore. Restore 1. To restore you must have already backed up the firewall earlier and have that backup in the TFTP servers root directory. 2. Connect to the firewall via Telnet, Console Cable or SSH, then go to enable mode, type in the enable password. ciscoasa> en Password:********* ciscoasa# 3. Enter configuration mode using the "conf t" command. ciscoasa# conf t ciscoasa(config)# 4. Unlike when you backed up the firewall to restore the configuration you use the copy tftp start command. ciscoasa(config)# copy tftp start 5. Supply it with the IP address of your TFTP Server. Address or name of remote host []? 172.254.1.2 6. Supply it with the name of the file you backed up earlier. Source filename []? firewall_backup 7. The file will get copied over. Accessing tftp://172.254.1.2/firewall_backup...! Writing system file... ! 2974 bytes copied in 0.90 secs ciscoasa(config)# 8. On your TFTP server you will see the file being "copied out" 9. Not finished yet, the file now lives in the "Startup" configuration so its not been loaded from memory yet, the best way to do this is to reboot the firewall. To do this issue the reload command, and confirm by pressing enter. ciscoasa(config)# reload Proceed with reload? [confirm] ciscoasa(config)# *** *** --- START GRACEFUL SHUTDOWN --- Shutting down isakmp Shutting down webvpn Shutting down File system *** *** --- SHUTDOWN NOW --- 10. After the reboot, you will be running on the restored configuration.   Note: With a Version 6 Firewall - restoring a config from TFTP simply "Merges" the new one with the config on the firewall, in most cases this is NOT what you want, to get round this place the following command at the top of the config you are restoring clear config all Backup a Cisco 5500 firewall from the ASDM 1. Connect to the firewall via ASDM, then Tools > Backup Configuration. 2. Browse Local. 3. Find somewhere to put the backup that you will be able to locate. 4. In this instance Ill "Backup All" > Backup. 5. Let it do its own thing > Close. 6. Take a quick look at the report > OK. Restore a Cisco 5500 firewall from the ASDM 1. Connect to the firewall via ASDM, then Tools > Restore Configuration. 8. Browse Local. 9. Locate your backup and select it. 10. Next. 11. In this instance I'm just going to restore the Start-up-configuration (Note: that means I will need to reboot the firewall when restored, before the restored config takes effect) > Restore. 12. You will be asked if you want to merge or replace the config. (Note: merge is handy if there's been a couple of config changes) > I'm going to replace it. 13. Let it restore the files, then restart ASDM.

ICMP PING CMD IN FIREWALL & ASDM

Cisco Firewalls and PING(Note: Tracert uses Ping protocols and the firewall treats ping and tracert the same)

Problem

With regards to Ping, out of the box a Cisco firewall will allow you to ping the interface you are connected to, so in a normal setup inside clients can ping the inside interface, and the firewalls outside interface can be pinged from outside. OK – to understand pinging through a Cisco Firewall you need to understand that Ping is part of the ICMP protocol suite, and unlike other protocols is not “connection orientated” what that means is, (on a new firewall that has no rules applied outbound) the firewall happily lets ping traffic out but it won’t let ping traffic back in – this results in a failure on the client.

Solution

Cisco ASA and Cisco PIX (version 7 and above) From CLI Version 7 introduced an ICMP inspection engine so that it could track ICMP requests like other protocols. It’s NOT turned on by default. And the command is “inspect icmp” but you need to enter the default map first (this assumes you have the standard policy-map).Connect to the firewall and use the following commands from config terminal mode. then save the changes with a "write mem" command.

PetesASA> PetesASA> en Password: ******** PetesASA# conf t PetesASA(config)# policy-map global_policy PetesASA(config)# (config-pmap)# class inspection_default PetesASA(config)# inspect icmp PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#

Cisco ASA and Cisco PIX (version 7 and above) From ASDM Connect to the ASDM > Configuration > Firewall > Service Policy Rules > Select "inspection_default" > Edit > Rule Actions > Tick ICMP > OK > Apply > File > Save running configuration to flash.

Cisco PIX (version 6 and below) From CLI Older firewall do not have an inspection map, nor was there a "fixup" for ICMP and ping traffic, so you need to explicitly allow the return icmp traffic back in. Note: this assumes you already have an inbound access-list called "inbound", and we are adding some more lines to it, change the works inbound to match the name/number of your inbound access list (the "show access-group" will tell you what is applied to the outside interface) e.g.

PetesASA> PetesASA> en Password: ******** PetesASA# show access-groupaccess-group inbound in interface outside <<This ones called inbound.

If you already have an access-list applied then simply substitute the name word "inbound" for the name on your ACL.

PetesASA# conf t PetesASA(config)# access-list inbound permit icmp any any echo-reply  PetesASA(config)# access-list inbound permit icmp any any time-exceeded  PetesASA(config)# access-list inbound permit icmp any any unreachable PetesASA(config)# access-list inbound permit icmp any any source-quench

If you HAD an inbound ACL skip this step, If you didn't have one you need to apply the ACL with an access-group command.

PetesASA(config)# access-group inbound in interface outside

Lastly save your work with a write mem command.

PetesASA# write mem Building configuration... Cryptochecksum: 4d7f7ccd 5c55a9e1 6ced12c4 46728bc7 [OK] PetesASA#

Cisco PIX (version 6 and below) From PDM Connect to the PDM > Configuration > Access Rules > Rules > Add > Permit > Outside Inside > Tick ICMP > Select "echo-reply"> OK > Apply > File > Save running configuration to flash. Then repeat for time-exceeded, unreachable and source-quench

Stop Interfaces replying to Ping traffic As stated above all firewall interfaces will respond to pings if they are on the network you are connected to. To stop this you use the "icmp" command. Do the same from ASDM Connect to the ASDM > Configuration > Device Management > Management Access > ICMP > Add > Select ICMP type > Interface > Action > OK > Apply > File > Save running configuration to flash. Do the same from PDM Connect to the PDM > Configuration > system Properties > Administration > ICMP > Add > > Specify the Type, Interface, Source etc > OK > Apply > File > Save running configuration to flash.

Cisco ASA - Password Recovery / Reset

Password Recovery / Reset Procedure for ASA 5500 Firewalls

Below is a run though on changing the Cisco ASA passwords (setting them to blank then changing them to something else). Basically you boot the ASA to its very basic shell operating system (ROMMON) then force it to reboot without loading its configuration. At this point you can load the config, without having to enter a password, manually change all the passwords, and finally set the ASA to boot properly again.

Below I've used both HyperTerminal and Putty to do the same thing, you can use either, or another terminal emulation piece of software, the procedure is the same.

1. Connect to the the ASA via a console cable (settings 9600/8/None/1/None).

2. Reboot the ASA, and as it boots press Esc to interrupt the normal boot sequence and boot to ROMMON mode.

Note: HyperTerminal does not send the Esc keystroke properly, if you use HyperTerminal you need to press CTRL+Break.

3. Execute the "confreg" command and take a note of the number that's listed (copy it to notepad to be on the safe side).

4. Answer the questions as follows (Note: Just pressing Enter will supply the default answer). Answer no to all apart from the TWO listed below:

Do you wish to change this configuration? y/n [n]: Y <<< THIS ONE
enable boot to ROMMON prompt? y/n [n]:
enable TFTP netboot? y/n [n]:
enable Flash boot? y/n [n]:
select specific Flash image index? y/n [n]:
disable system configuration? y/n [n]: Y <<< AND THIS ONE
go to ROMMON prompt if netboot fails? y/n [n]:
enable passing NVRAM file specs in auto-boot mode? y/n [n]:
disable display of BREAK or ESC key prompt during auto-boot? y/n [n]:

5. You may notice, that the configuration register has changed, to boot the firewall execute the "boot" command.

6. This time when the ASA boots it will start with a {blank} enable password, you can load the normal config into memory with a "copy startup-config running-config" command.

7. Now you are in enable mode with the correct config loaded, you can change the passwords, and once completed, change the configuration register setting back with a config-register {paste in the number you saved earlier} command.

Cisco ASA 5500 Site to Site VPN (From CLI)

Cisco ASA 5500 Site to Site VPN (From CLI) Do the same from ASDM

Problem

You want a secure IPSEC VPN between two sites.

Solution

Note: There have been a number of changes both in NAT and IKE on the Cisco ASA that mean commands will vary depending on the OS that the firewall is running, make sure you know what version your firewall is running (either by looking and the running config or issue a "sho ver" command). Note 2: Cisco introduced IKE version 2 with ASA 8.4(x) This assumes we are configurug a tunnel using IKE version 1. (For version 2, both ends need to be running version 8.4(x) or greater). Before you start - you need to ask yourself "Do I already have any IPSEC VPN's configured on this firewall?" Because if its not already been done, you need to enable ISAKMP on the outside interface. To ascertain whether yours is on, or off, issue a "show run crypto " command and check the results, if you do NOT see "crypto isakmp enable outside" or "crypto ikev1 enable outside" then you need to issue that command. Firewall Running an OS of 8.4(x) or newer PetesASA# show run crypto crypto ikev1 enable outside << Mines already enabled and its IKE version1 crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA# Firewall Running an OS Earlier than 8.4(x) PetesASA# show run crypto crypto isakmp enable outside << Mines already enabled. crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 PetesASA# 1. Im going to create access control lists next, one to tell the ASA what is "Interesting traffic", that's traffic that it needs to encrypt. If you are running an ASA older than version 8.3(x) you will need to create a second access list to STOP the ASA performing NAT on the traffic that travels over the VPN. Warning: (ASA Version 8.3 or older): If you already have NAT excluded traffic on the firewall (for other VPN's) this will BREAK THEM - to see if you do, issue a "show run nat" command, if you already have a nat (inside) 0 access-list {name} entry, then use that {name} NOT the one in my example. So below I'm saying "Don't NAT Traffic from the network behind the ASA (10.254.254.0) that's going to network behind the VPN device at the other end of the tunnel (172.16.254.0). Firewall Running an OS of 8.3(x) or newer PetesASA(config)#object network Site-A-SN PetesASA(config-network-object)#subnet 10.254.254.0 255.255.255.0 PetesASA(config)#object network Site-B-SN PetesASA(config-network-object)#subnet 172.16.254.0 255.255.255.0 PetesASA(config)#access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip object Site-A-SN object Site-B-SN PetesASA(config)#nat (inside,outside) source static Site-A-SN Site-A-SN destination static Site-B-SN Site-B-SN Firewall Running an OS Earlier than 8.3(x) PetesASA(config)# PetesASA(config)# access-list VPN-INTERESTING-TRAFFIC line 1 extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0 PetesASA(config)# access-list NO-NAT-TRAFFIC line 1 extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0 PetesASA(config)# nat (inside) 0 access-list NO-NAT-TRAFFIC PetesASA(config)# 2. Now I'm going to create a "Tunnel Group" to tell the firewall its a site to site VPN tunnel "l2l", and create a shared secret that will need to be entered at the OTHER end of the site to site VPN Tunnel. I also set a keep alive value. Note: Ensure the Tunnel Group Name is the IP address of the firewall/device that the other end of the VPN Tunnel is terminating on. PetesASA(config)# PetesASA(config)# tunnel-group 123.123.123.123 type ipsec-l2l PetesASA(config)# tunnel-group 123.123.123.123 ipsec-attributes PetesASA(config-tunnel-ipsec)# pre-shared-key 1234567890 PetesASA(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2 PetesASA(config-tunnel-ipsec)# exit PetesASA(config)# 3. Now we need to create a policy that will setup how "Phase 1" of the VPN tunnel will be established, we have already put in a shared secret, this policy will make sure we use it, it also sets the encryption type (3DES), the hashing algorithm (SHA) and the Level of PFS (Group 2). Finally it sets the timeout before phase 1 needs to be re-established. It sets the timeout value to 86400 seconds (That's 1440 Minutes - or 24 hours if your still confused :) Firewall Running an OS of 8.4(x) or newer PetesASA(config)# crypto ikev1 policy 10 PetesASA(config-ikev1-policy)#authentication pre-share PetesASA(config-ikev1-policy)#hash sha PetesASA(config-ikev1-policy)#group 2  PetesASA(config-ikev1-policy)#lifetime 86400 Firewall Running an OS Earlier than 8.4(x) PetesASA(config)# PetesASA(config)# crypto isakmp policy 10 authen pre-share PetesASA(config)# crypto isakmp policy 10 encrypt 3des PetesASA(config)# crypto isakmp policy 10 hash sha PetesASA(config)# crypto isakmp policy 10 group 2 PetesASA(config)# crypto isakmp policy 10 lifetime 86400 PetesASA(config)# 4. We stated above that we are going to use 3DES and SHA so we need a "Transform Set" that matches. Firewall Running an OS of 8.4(x) or newer PetesASA(config)# PetesASA(config)# crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac PetesASA(config)# Firewall Running an OS Earlier than 8.4(x) PetesASA(config)# PetesASA(config)# crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac PetesASA(config)# 4. Finally we need to create a "Cryptomap" to handle "Phase 2" of the VPN Tunnel, that also will use 3DES and SHA and PFS. And last od all we apply that Cryptomap to the outside interface. Firewall Running an OS of 8.4(x) or newer PetesASA(config)# PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC PetesASA(config)# crypto map outside_map 1 set pfs group2 PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 PetesASA(config)# crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA PetesASA(config)# crypto map outside_map interface outside PetesASA(config)# Firewall Running an OS Earlier than 8.4(x) PetesASA(config)# PetesASA(config)# crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC PetesASA(config)# crypto map outside_map 1 set pfs group2 PetesASA(config)# crypto map outside_map 1 set peer 123.123.123.123 PetesASA(config)# crypto map outside_map 1 set transform-set ESP-3DES-SHA PetesASA(config)# crypto map outside_map interface outside PetesASA(config)# 5. Don't forget to save your hard work with a "write mem" command. PetesASA(config)# PetesASA(config)# write mem Building configuration... Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)# 6. Simply configure the other end as a "Mirror Image" of this one.