[RicklesP]

Not a beginner to networking (passed CCNA last month; MCSA, Network+, Sec'y+ over the last few years) but have never touched an ASA. My site hosts several partner companies under one prime contract. My firm inherited the IT as-is, and it won't be massively changed anytime soon, but it works well. It does need work, though.

The ultimate goal is to connect a particular group of users behind my current Fortinet firewall device to their corporate system across the country. Currently the users at my site use individual VPN clients, but that causes issues with local network printing, company GPO enforcement, etc., esp. because this group of users never have their laptops connected directly to the distant company servers--they were hired locally, and the IT was built locally and joined to the distant domain via the same VPN client link. And it wasn't right.

Company will allow a new IPSec tunnel between my Fortinet device and their system so the clients don't have to be their own endpoints, but only if we provision a new 5510 at their end to do it. Since I'm the only Cisco-trained on-site, it's my job to figure this out. Info on configuring the Fortinet is readily available, as is tech support, but I'm on my own for the ASA.

Can anyone recommend a decent source of info I can refer to for a quick up-to-speed on the ASA? I've heard 3rd-person about how awkward the GUI is for these things, so I'm hesitant to just dive right in. I plan to take the ASA home and set up a tunnel through my Cisco SRP527W ADSL router to verify the Fortinet works as expected, before taking the ASA to the cross-country site for formal install.

All suggestions appreciated. No laughter, please.

[auglan]

I would say the configuration guide for the ASA is the best place to start. Depending on the version of code that is running will determine what to search for.

Example:

cisco asa 5510 8.3 configuration guide

[RicklesP]

From the size of the file, that's not what I call 'light' reading! But, if that's where I have to start, best clean my glasses.

Thanks for the ref. I guess the ASA is different enough that my idea of a 'quick up-to-speed' was more of a prayer than anything else.

You can probably expect a few more 'Help!?' posts from me in the near future.

[auglan]

If its just setting up a site to site vpn then the ASA actually has instructions built into the device for L2L, and remote access vpn's. Granted this is a basic config but it walks you through all the steps. Yeah the guide is rather large but you should be able to pick out the pieces you need.


ciscoasa(config)# vpnsetup ?

[RicklesP]

Auglan, I've finally got the 5510 configured for an internal network, an external interface IP, passwords, management interface working, and an IPSec tunnel defined, so hopefully it's gonna be plug-n-play. The device came new with IOS v8.2 with ASDM v6.2. Rather than introduce more problems by upgrading the software, I've left it as-is. Firewall rules are deemed a waste, since this device will sit behind multiple other defenses.

Any gotchas to look out for you can think of? The 'Guide' wasn't hard to read, but I figure there's always some little 'uh-oh' that isn't in the guide. Am I just being paranoid?

[auglan]

The configuration examples usually only list a "basic" config to get a L2L tunnel up. There are alot of additional options you can play with but again its best to consult the configuration guide. The vpn configs on IOS routes and ASA's have alot of configuration especially when you get into SSL VPN's. It would be impossible to memorize all the commands for every single config, at least for me. I consult the configuration guides frequently. If your getting the results you need, then it should be fine. 8.3 and above versions have alot different syntax especially for nat. Its not hard but just a different way of configuring it. I think its alot better but you need to see if your ASA meets the minimum requirements (memory etc).

[RicklesP]

This is about as simple as you can get, really. We're using this ASA as a site-to-site IPSec tunnel endpoint at a corporate site, with another vendor's device as the other endpoint at my end. So the ASA will negotiate the tunnel and route traffic, but only for a select group of users at my end. It's not protecting other users/subnets; it's not doing NAT for anyone including the tunnel, and there are no SSL-VPN connections at all.

The corporate site insists that we buy this specific model ASA for installation at their site, even though they have several others in use, each acting as an endpoint for 1 customer, per ASA. What a waste.

I don't for one moment advocate anyone trying to memorize handbooks, etc. If you know where to find the answer, why clutter your mind up with the detail if it's not something you use every day? I just thought there might be one or 2 little tricks that need to be considered, which go above/beyond the manual--the sorts of things you only come across in actual implementation that the 'book' didn't cover for whatever reason. If you're telling me that the docs for the ASA don't appear to catch users out like that, then I roll with what I've got. Thanks.

[auglan]

The only caveat I can think of is watch the syntax. Make sure your using the same phase 1 and phase 2 parameters. Most mistakes on vpn configurations is misconfgured parameters. I always look at my config in notepad to spot any obvious mistakes. If your having trouble with a tunnel coming up or traffic not being encrypted use your show commands and debugs on the ASA to figure out where the issue is.