Tags: ,


Notable Replies

  1. Hi Rene,

    If i want to create another connection profile , do i need to create another policy in ipsec phase 1 (
    crypto ikev1 policy 10)

    Or is it one time configuration ,( Ipsec phase 1 and Phase 2 ) .
    How to remove the tunnel group and group policy from command line

    Thanks

  2. Hi Amit,

    Yes you can, you’ll need to create an additional policy group and tunnel group for this. Here’s a quick example:

    group-policy VIRL_VPN internal
    group-policy VIRL_VPN attributes
     vpn-filter value VIRL
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value VIRL_SPLIT_TUNNEL
    
    access-list VIRL_SPLIT_TUNNEL standard permit 192.168.1.0 255.255.255.0
    
    access-list VIRL extended permit tcp any object VIRL object-group VIRL_PORTS 
    access-list VIRL extended permit tcp any object VIRL2 object-group VIRL_PORTS
    
    tunnel-group VIRL_TUNNEL type remote-access
    tunnel-group VIRL_TUNNEL general-attributes
     address-pool VIRL_VPN_USERS
     default-group-policy VIRL_VPN
    tunnel-group VIRL_TUNNEL ipsec-attributes
     ikev1 pre-shared-key *****
    

    The group policy called “VIRL_VPN” uses an access-list called VIRL to define what resources the remote user can access. It also uses split tunneling, this VPN is only used to reach the networks in access-list VIRL_SPLIT_TUNNEL.

    In the tunnel-group, you can see we refer to the VIRL_VPN group-policy.

    Hope this helps!

    Rene

  3. Hi Rene,

    I have private ip address in the outside interface connected the ISP, and DMZ interface have public IP for diferent service. then the question is:

    Can do I use a IP public address from my pool of DMZ for get up my VPN remote access?

    how do I make this ?

    best regards

  4. Hi @sclarke1210,

    You won’t see a tunnel interface directly. If you want to verify that a user has connected and see the IP address that was assigned from the VPN pool, it’s best to use these two commands:

    ASA# show crypto ikev1 sa
    
    IKEv1 SAs:
    
       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1
    
    2   IKE Peer: 62.44.197.140
        Type    : user            Role    : responder 
        Rekey   : no              State   : AM_ACTIVE 
    

    Above you can see that a user has connected. The IP addresses you can see below:

    ASA# show crypto ipsec sa user renemolenaar
    username: renemolenaar
        Crypto map tag: RMCS_VPN, seq num: 10, local addr: 1.2.3.4
    
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.1.100/255.255.255.255/0/0)
          current_peer: 62.44.197.140, username: renemolenaar
          dynamic allocated peer ip: 192.168.1.100
          dynamic allocated peer ip(ipv6): 0.0.0.0
    
          #pkts encaps: 67, #pkts encrypt: 67, #pkts digest: 67
          #pkts decaps: 75, #pkts decrypt: 75, #pkts verify: 75
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 67, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0
    
          local crypto endpt.: 1.2.3.4/4500, remote crypto endpt.: 62.44.197.140/6967
          path mtu 1500, ipsec overhead 82(52), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: 029C51AC
          current inbound spi : 323F5F7F
                  
        inbound esp sas:
          spi: 0x323F5F7F (843014015)
             transform: esp-aes esp-sha-hmac no compression 
             in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
             slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
             sa timing: remaining key lifetime (sec): 28722
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x029C51AC (43798956)
             transform: esp-aes esp-sha-hmac no compression 
             in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
             slot: 0, conn_id: 4460544, crypto-map: RMCS_VPN
             sa timing: remaining key lifetime (sec): 28722
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap: 
              0x00000000 0x00000001
    

    Above you can see the dynamic allocated peer ip, which is the IP address from the VPN pool.

    Rene

Continue the discussion forum.networklessons.com

29 more replies!

Participants