1. Clear VPN Configuration:
clear configure crypto map VPN_AAAA
2. Debug and show commands:
ciscoasa#terminal monitor ciscoasa(config)# logging buffer-size 1048576 ciscoasa(config)# logging buffered 7 ciscoasa(config)# logging monitor 7 ciscoasa(config)# debug crypto condition peer 10.10.10.10 ciscoasaa(config)# ciscoasa(config)# debug crypto ipsec 127
The debug icmp trace command is used to capture the ICMP traffic of the user.
ciscoasa#debug icmp trace
ciscoasa#
!--- Output is suppressed.
ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32
!--- The user IP address is 192.168.1.50.
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.
In order to disable debug icmp trace, use one of these commands:
no debug icmp trace
undebug icmp trace
undebug all, Undebug all, or un all
Each
of these three options helps the administrator to determine the source
IP address. In this example, the source IP address of the user is
192.168.1.50. The administrator is ready to learn more about application
X and determine the cause of the problem.
To see ISAKMP configuration use show run crypto isakmp
To see IPSec configuration use show run crypto ipsec
To see crypto map configuration use show run crypto map
To see IPsec operational data use show crypto ipsec sa
To see ISAKMP operational data use show crypto isakmp sa
To debug isakmp use debug crypto isakmp
To debug ipsec use debug crypto ipsec
To manually tear down an ISAKMP or IPSEC SA:
clear crypto ipsec
clear crypto isakmp
To clear IPsec SA counters use Clear crypto ipsec sa counters
To clear IPsec SAs by entry use Clear IPsec SAs entry ipaddress
To clear IPsec SAs by map use Clear IPsec SAs map cryptomap_name
To clear IPsec SA by peer use Clear IPsec SA peer ipaddress
To clear ISAKMP SA by ipaddress use Clear crypto Isakmp SA ipaddress
3. Recover Pre-Shared Key in Pix/ASA:
more system:running-config
4. Use a capture to confirm IPSec packets hit the firewall:
The administrator needs to
create an access-list that defines what traffic the ASA needs to
capture. After the access-list is defined, the capture command
incorporates the access-list and applies it to an interface.
ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.
ciscoasa#show capture inside_interface
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request
!— The user IP address is 192.168.1.50.
Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.
!— Open an Internet Explorer and browse with this https link format:
https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.
Turn off the packet capture and remove the ACL:
ASA(config)#no capture inside_interface
ASA(config)#clear configure access-list inside_test
You can clear the capture log by using this command:
ASA#clear capture inside_interface
You can also use the pipe functionality when viewing the capture output:
ASA#show capture inside_interface | inc 192.168.1.1
To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.
First create an access-list for the traffic you would like to capture.
Access-list capture1 permit udp any any eq 500
Next create a capture.
Capture cap1 access-list capture1 interface outside
Next display the results of the capture.
Show capture cap1 detail
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: UDP:500
Or view capture on web
https://capture/pcap/cap1
5. Syslog
Make sure logging is enabled. The logging
level needs to be set to debug. Logging can be sent to various
locations. This example uses the ASA log buffer. You might need an
external logging server in production environments.
ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.
ciscoasa#show logging
!— Output is suppressed.
%ASA-6-302020: Built ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0
!— The user IP address is 192.168.1.50.
6. ‘ping -f’ command troubleshooting MTU size over IPSEC VPN
The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.
So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:
C:\Users\netcanuck>ping 172.16.32.1 -f -l 1472 Pinging 172.16.32.1 with 1472 bytes of data: Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251 Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251 Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251 Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251 C:\Users\netcanuck>ping 172.16.32.1 -f -l 1473 Pinging 172.16.32.1 with 1473 bytes of data: Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set. Packet needs to be fragmented but DF set.
7. Assign AnyConnect User a static ip with local authentication
7.1 vpn-framed-ip-address command
username user1 password user12345
username user1 attributes
vpn-framed-ip-address 192.168.1.11 255.255.255.0
Reference: ASA/PIX: Static IP Addressing for IPSec VPN Client with CLI and ASDM Configuration Example
7.2 Create Multiple Groups with own pool and with just one ip
For example:
Three groups are created, each with its own pool and with just one IP address. The inside network is 192.168.1.0/24:
ip local pool group1 172.16.99.1 ip local pool group2 172.16.99.2 ip local pool group3 172.16.99.3 access-list nonat permit ip 192.168.1.0 255.255.255.0 172.16.99.0 255.255.255.0 crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 99 ipsec-isakmp dynamic dynmap crypto map mymap interface outside sysopt connection permit ipsec isakmp nat-trav isakmp identity address isakmp keepalive 10 2 isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 (the actual vpn groups): vpngroup group1 password MYPASSWORD vpngroup group1 address-pool group1 vpngroup group1 dns 192.168.1.5 vpngroup group1 wins 192.168.1.5 vpngroup group2 password MYPASSWORD vpngroup group2 address-pool group2 vpngroup group2 dns 192.168.1.5 vpngroup group2 wins 192.168.1.5 vpngroup group3 password MYPASSWORD vpngroup group3 address-pool group3 vpngroup group3 dns 192.168.1.5 vpngroup group3 wins 192.168.1.5 wr mem
8. Limit AnyConnect User to Assigned Resources
8.1 All all VPN traffic bypassing interface ACL.
The default setting of the ASA is that it allows all traffic coming from a VPN Connection to bypass the interface ACL of the interface to which the VPN Clients connect. In this case your “outside” interface. The default configuration command is
sysopt connection permit-vpn
If you were to change it to
no sysopt connection permit-vpn
Then you would have to allow ALL VPN related traffic in the interface ACL of “outside”.
8.2 Building Interface VPN ACL
After this we could start building the interface ACL which you could use to control the traffic from the VPN Clients.
Lets presume that you can allocate the user an IP address based on the login information. Lets also presume that the following are the starting information
Users:
User A: 192.168.2.1
User B: 192.168.2.2
User C: 192.168.2.3
Servers:
Server A: x.x.x.1
Server B: x.x.x.2
Server C: x.x.x.3
Lets now presume that you wanted to allow connections from User A to Server A and from User B to Server B and so on. Then you could configure the following ACL
access-list OUTSIDE-IN remark Rules for VPN users
access-list OUTSIDE-IN remark User A
access-list OUTSIDE-IN permit ip host 192.168.2.1 host x.x.x.1
access-list OUTSIDE-IN remark User B
access-list OUTSIDE-IN permit ip host 192.168.2.2 host x.x.x.2
access-list OUTSIDE-IN remark User C
access-list OUTSIDE-IN permit ip host 192.168.2.3 host x.x.x.3
access-group OUTSIDE-IN in interface outside
The above configurations would allow all TCP/UDP traffic from the User A to Server A and so on. They wont not be able to access other servers other what is specified in the ACL.
Naturally the other option is to use the VPN Filter ACL as it should work too to my understanding but the above is one option.
Notes: Other ASA troubleshooting Commands
Please refer to this post.
