Wednesday, June 20, 2018

CISCO ASA VPN Tips and Tricks

1. Clear VPN Configuration: 

clear configure crypto map VPN_AAAA

2. Debug and show commands:

Enable logging:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer
ciscoasa(config)# debug crypto ipsec 127

The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace


!--- Output is suppressed.

ICMP echo request from to ID=512 seq=5120 len=32
ICMP echo reply from to ID=512 seq=5120 len=32

!--- The user IP address is

The user pings the inside interface of the ASA (ping This output is displayed on the console.

In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is The administrator is ready to learn more about application X and determine the cause of the problem.

To see ISAKMP configuration use show run crypto isakmp
To see IPSec configuration  use show run crypto ipsec
To see crypto map configuration use show run crypto map
To see IPsec operational data use show crypto ipsec sa
To see ISAKMP operational data use show crypto isakmp sa

To debug isakmp use debug crypto isakmp
To debug ipsec use debug crypto ipsec

To manually tear down an ISAKMP or IPSEC SA:
clear crypto ipsec
clear crypto isakmp

To clear IPsec SA counters use Clear crypto ipsec sa counters
To clear IPsec SAs by entry use Clear IPsec SAs entry ipaddress
To clear IPsec SAs by map use Clear IPsec SAs map cryptomap_name
To clear IPsec SA by peer use Clear IPsec SA peer ipaddress
To clear ISAKMP SA by ipaddress use Clear crypto Isakmp SA ipaddress

3. Recover Pre-Shared Key in Pix/ASA: 

more system:running-config

4. Use a capture to confirm IPSec packets hit the firewall:

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping This output is displayed.

ciscoasa#show capture inside_interface
   1: 13:04:06.284897 > icmp: echo request

!--- The user IP address is

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.

!--- Open an Internet Explorer and browse with this https link format:

https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.

Turn off the packet capture and remove the ACL:

ASA(config)#no capture inside_interface
ASA(config)#clear configure access-list inside_test

You can clear the capture log by using this command:
ASA#clear capture inside_interface

You can also use the pipe functionality when viewing the capture output:
ASA#show capture inside_interface | inc

To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.
First create an access-list for the traffic you would like to capture.
Access-list capture1 permit udp any any eq 500

Next create a capture.
Capture cap1 access-list capture1 interface outside

Next display the results of the capture.
Show capture cap1 detail
1: 13:04:06.284897 > UDP:500

Or view capture on web

5. Syslog

Make sure logging is enabled. The logging level needs to be set to debug. Logging can be sent to various locations. This example uses the ASA log buffer. You might need an external logging server in production environments.

ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging
The user pings the inside interface of the ASA (ping This output is displayed.

ciscoasa#show logging

!--- Output is suppressed.

%ASA-6-302020: Built ICMP connection for faddr
gaddr laddr
%ASA-6-302021: Teardown ICMP connection for faddr
gaddr laddr

!--- The user IP address is

6. 'ping -f' command troubleshooting MTU size over IPSEC VPN

The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.

So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:
C:\Users\netcanuck>ping -f -l 1472

Pinging with 1472 bytes of data:
Reply from bytes=1472 time=3ms TTL=251
Reply from bytes=1472 time=4ms TTL=251
Reply from bytes=1472 time=4ms TTL=251
Reply from bytes=1472 time=3ms TTL=251

C:\Users\netcanuck>ping -f -l 1473

Pinging with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

7. Assign AnyConnect User a static ip with local authentication

7.1 vpn-framed-ip-address command
username user1 password user12345

username user1 attributes


Reference: ASA/PIX: Static IP Addressing for IPSec VPN Client with CLI and ASDM Configuration Example

7.2 Create Multiple Groups with own pool and with just one ip
For example:
Three groups are created, each with its own pool and with just one IP address. The inside network is

ip local pool group1
ip local pool group2
ip local pool group3

access-list nonat permit ip

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 99 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

sysopt connection permit ipsec

isakmp nat-trav
isakmp identity address
isakmp keepalive 10 2

isakmp enable outside

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

(the actual vpn groups):

vpngroup group1 password MYPASSWORD
vpngroup group1 address-pool group1
vpngroup group1 dns
vpngroup group1 wins

vpngroup group2 password MYPASSWORD
vpngroup group2 address-pool group2
vpngroup group2 dns
vpngroup group2 wins

vpngroup group3 password MYPASSWORD
vpngroup group3 address-pool group3
vpngroup group3 dns
vpngroup group3 wins

wr mem

8. Limit AnyConnect User to Assigned Resources
8.1 All all VPN traffic bypassing interface ACL.
The default setting of the ASA is that it allows all traffic coming from a VPN Connection to bypass the interface ACL of the interface to which the VPN Clients connect. In this case your "outside" interface. The default configuration command is

sysopt connection permit-vpn

If you were to change it to

no sysopt connection permit-vpn

Then you would have to allow ALL VPN related traffic in the interface ACL of "outside".

8.2 Building Interface VPN ACL
After this we could start building the interface ACL which you could use to control the traffic from the VPN Clients.

Lets presume that you can allocate the user an IP address based on the login information. Lets also presume that the following are the starting information

User A:
User B:
User C:

Server A: x.x.x.1
Server B: x.x.x.2
Server C: x.x.x.3
Lets now presume that you wanted to allow connections from User A to Server A and from User B to Server B and so on. Then you could configure the following ACL

access-list OUTSIDE-IN remark Rules for VPN users
access-list OUTSIDE-IN remark User A
access-list OUTSIDE-IN permit ip host host x.x.x.1
access-list OUTSIDE-IN remark User B
access-list OUTSIDE-IN permit ip host host x.x.x.2
access-list OUTSIDE-IN remark User C
access-list OUTSIDE-IN permit ip host host x.x.x.3
access-group OUTSIDE-IN in interface outside

The above configurations would allow all TCP/UDP traffic from the User A to Server A and so on. They wont not be able to access other servers other what is specified in the ACL.

Naturally the other option is to use the VPN Filter ACL as it should work too to my understanding but the above is one option.

Notes: Other ASA troubleshooting Commands
Please refer to this post.

No comments:

Post a Comment