Been waiting for this. Thank you so much brother. Your NAT on ASA video helped me configure nat on the job and also helped me understand all the types of nat (Nat exemption for vpns, static nat & pat, dynamic nat & pat and how to configure them using auto or manual). I really appreciate it 🙌🏽 from Africa The Gambia🇬🇲
@@NetworkWizkid One question for you, if you have multiple ikev2 policies (lets say 10 with different parms) will tunnels choose the best that fits the requirements of the other end during negotiation phase 1 negotiation?
@@1manairband I believe the selection works on the priority of the IKEv2 policy. This is done when you configure the IKEv2 policy and specify the priority number, for example: crypto ikev2 policy 10 - The number 10 is the priority in this case (the lower the number, the higher the priority). I hope that helps (11:30 in the video)
@@NetworkWizkid I did catch that in your video but I was just curious if it worked from top down or bottom up. If priority 1 policy didn't match then would it match priority 2 if that was a better match based on settings?
Yes, I mean it would all depend on the policy used on the other side...if the stars align and we have x2 exact same policies but one has a higher priority then the higher one will be selected.
Awesome explanation, Thanks for the video. can you help me with show command for ASA 5506 AND 5505, how to verify IKE details phase-1 and IPSec phase-2 details? how do I see the parameters like Authentication, IKE version, Encryption and Hash algorithm and DH group, lifetime for phase 1 and IPSec protocol mode, authentication, Encryption, lifetime and PFS for phase 2? appreciate your quick reply.
Thank you for watching. Please subscribe if you've found the content useful. The commands that you might be looking for are: show crypto ikev2 sa (if using IKEv2) show crypto ipsecsa show crypto isakmp sa
Glad it worked for you and thank you for watching. I haven't yet but I have made a note and will try and produce some content around this. If you've subscribed, you'll be notified of any new videos that I upload.
Trying to configure the SITE-TO-SITE for days now. Can i use ip address dhcp setroute on the outside interface Eth 0/0 ? My router is in bridge mode and i connect directly to my ASA5505. Thanks !
I think it should work. Maybe check the IKEv2 Site-to-Site VPN documentation for further clarity or check out the following link that might help: community.cisco.com/t5/routing/configure-site-to-site-vpn-with-dynamic-ip-on-one-side/td-p/3846935
@@NetworkWizkid I did resolve it by reapplying the encryption key for both nodes that were main FW and branch FW. It was just a bandaid until my MX84 and MX67 Firewall deployment was done.
Hello Wizkid! I am new to your channel and enjoy your content. I recently earn my CCNA and am interested in studying for my CCNP Security exam. Can you tell me the software you use in your demonstrations? Any advice is appreciated!
@@NetworkWizkid I believe I need Cisco images to create the lab but I am not sure where I can them. Do you know where I can find the needed images your EVE-NG? Do I have to purchase a license?
You can find some of them online by searching. Others you may need to have a Cisco account in order to download the software that you need. Most can run off evaluations.
Thank you Frank. You can view the configuration on my website: networkwizkid.com/2021/09/15/video-configuring-cisco-asa-ikev2-site-to-site-vpns/ Hope that helps and thank you for watching.
Lets take the following scenario as an example: You managed two sites; the corporate office and a smaller branch site. You have been asked to come up with a way to allow access to a corporate office FTP server from the branch site. Now, NAT could be a possibility by simply creating a static NAT policy but at the same time branch traffic to the FTP server is exposed (a good reference here: digitalguardian.com/blog/what-ftp-security-securing-ftp-usage#:~:text=FTP%20was%20not%20built%20to,among%20other%20basic%20attack%20methods.) This is just one example of why a site-to-site VPN would be the better option as it would address confidentiality, integrity and availability concerns. I hope that helps.
Hello Kevin, thanks for the videos, i have issue with my ASA S2S, tunnel is up, one side ASA(SITE-A)encap is packet but not decap the packet, I have checked other side ASA(SITE-B) encaps and decaps(more decaps than encaps) happening here, and also default route pointing towards ISP. But why cant i ping SITE-A to SITE-B vice versa?
Hey, thank you for watching and reaching out. Have you double-checked your ACL's for your interesting traffic? It may be worth posting your configuration into our Discord community so that we can take a look. Here is the link: discord.gg/au9a8DnsQh
That's why you are getting the message you are seeing. The switch needs to be able to route the traffic to the destination. Maybe the easier option would be to place a device behind the switch to route to the default gateway and then configure the interesting traffic on the router.
Been waiting for this. Thank you so much brother. Your NAT on ASA video helped me configure nat on the job and also helped me understand all the types of nat (Nat exemption for vpns, static nat & pat, dynamic nat & pat and how to configure them using auto or manual). I really appreciate it 🙌🏽 from Africa The Gambia🇬🇲
Hey Edi, thank you, I'm glad that my videos have helped you. Thank you for showing your support.
Good job, your are the first with detailed explanation and steps
Thank you and thank you for watching, I'm glad that it helped
Thanks boy for your brilliant explanation 👏👏👏👏👏👏👏👏👏👏👏👏👏👏
No problem, glad it helped.
Totally useful and working great! thanks for this
No problem, thank you for watching.
Done very well, thank you for this. It answers some of my questions.
Glad it helped, thank you for watching!
@@NetworkWizkid One question for you, if you have multiple ikev2 policies (lets say 10 with different parms) will tunnels choose the best that fits the requirements of the other end during negotiation phase 1 negotiation?
@@1manairband I believe the selection works on the priority of the IKEv2 policy. This is done when you configure the IKEv2 policy and specify the priority number, for example: crypto ikev2 policy 10 - The number 10 is the priority in this case (the lower the number, the higher the priority). I hope that helps (11:30 in the video)
@@NetworkWizkid I did catch that in your video but I was just curious if it worked from top down or bottom up. If priority 1 policy didn't match then would it match priority 2 if that was a better match based on settings?
Yes, I mean it would all depend on the policy used on the other side...if the stars align and we have x2 exact same policies but one has a higher priority then the higher one will be selected.
Awesome explanation, Thanks for the video. can you help me with show command for ASA 5506 AND 5505, how to verify IKE details phase-1 and IPSec phase-2 details? how do I see the parameters like Authentication, IKE version, Encryption and Hash algorithm and DH group, lifetime for phase 1 and IPSec protocol mode, authentication, Encryption, lifetime and PFS for phase 2? appreciate your quick reply.
Thank you for watching. Please subscribe if you've found the content useful.
The commands that you might be looking for are:
show crypto ikev2 sa (if using IKEv2)
show crypto ipsecsa
show crypto isakmp sa
Love it! Very helpful! Thank you very much!
No problem, thank you for watching!
This is very informative and useful. How’s that Master going?
Thank you Kenny!
It's going well, I finish soon and then I'm thinking about going on to do a PhD.
I have tried this lab today, works perfectly. Do you have lab for ASA VTI?
Glad it worked for you and thank you for watching.
I haven't yet but I have made a note and will try and produce some content around this. If you've subscribed, you'll be notified of any new videos that I upload.
@@NetworkWizkid Bro I’m gonna subscribe for you. Your videos very helpful 👍
I have a stand-alone FTD running on my environment, how can I add another FTD from the inside network to FMC?
Hey, check out this video: th-cam.com/video/v_uZ9GbICBk/w-d-xo.html
Trying to configure the SITE-TO-SITE for days now. Can i use ip address dhcp setroute on the outside interface Eth 0/0 ? My router is in bridge mode and i connect directly to my ASA5505. Thanks !
I think it should work. Maybe check the IKEv2 Site-to-Site VPN documentation for further clarity or check out the following link that might help: community.cisco.com/t5/routing/configure-site-to-site-vpn-with-dynamic-ip-on-one-side/td-p/3846935
This gave me problems when deployment of Cisco SDWAN mixed with ASA 5506. I remember on Twitter we had conversations about my VPN problems lol 😆
Did you resolve it in the end?
I've recently been apart of some work where VPN's haven't been working how we'd expect them to on the ASA too :-/
@@NetworkWizkid I did resolve it by reapplying the encryption key for both nodes that were main FW and branch FW. It was just a bandaid until my MX84 and MX67 Firewall deployment was done.
At least you got it working bro!
I plan on doing more videos with different technologies forming VPNs too in the future.
@@NetworkWizkid That would be great 👍 keep it up. I like videos like this!
Thank you for the support brother!
Hello Wizkid! I am new to your channel and enjoy your content. I recently earn my CCNA and am interested in studying for my CCNP Security exam. Can you tell me the software you use in your demonstrations? Any advice is appreciated!
Congratulations and I'm glad to hear that you want to study for the CCNP Security. In this video, I am using EVE-NG; I hope that helps.
@@NetworkWizkid I believe I need Cisco images to create the lab but I am not sure where I can them. Do you know where I can find the needed images your EVE-NG? Do I have to purchase a license?
You can find some of them online by searching. Others you may need to have a Cisco account in order to download the software that you need. Most can run off evaluations.
Very informative, can you post a policy based configuration?
Thank you!
Thank you Frank.
You can view the configuration on my website: networkwizkid.com/2021/09/15/video-configuring-cisco-asa-ikev2-site-to-site-vpns/
Hope that helps and thank you for watching.
Why not have ISP and NAT?
Lets take the following scenario as an example:
You managed two sites; the corporate office and a smaller branch site. You have been asked to come up with a way to allow access to a corporate office FTP server from the branch site. Now, NAT could be a possibility by simply creating a static NAT policy but at the same time branch traffic to the FTP server is exposed (a good reference here: digitalguardian.com/blog/what-ftp-security-securing-ftp-usage#:~:text=FTP%20was%20not%20built%20to,among%20other%20basic%20attack%20methods.)
This is just one example of why a site-to-site VPN would be the better option as it would address confidentiality, integrity and availability concerns.
I hope that helps.
Hello Kevin, thanks for the videos, i have issue with my ASA S2S, tunnel is up, one side ASA(SITE-A)encap is packet but not decap the packet, I have checked other side ASA(SITE-B) encaps and decaps(more decaps than encaps) happening here, and also default route pointing towards ISP. But why cant i ping SITE-A to SITE-B vice versa?
Hey, thank you for watching and reaching out.
Have you double-checked your ACL's for your interesting traffic? It may be worth posting your configuration into our Discord community so that we can take a look. Here is the link: discord.gg/au9a8DnsQh
What is the VPC4? A virtual machine? Can't duplicate this example without that
A virtual machine in EVE-NG. You can replace it with a PC or other networking device.
@@NetworkWizkid The lab at my job has a switch in place of the vm or PC. Can this configuration still work? I tried it and failed. Please help
If you configured the switch as a L3 device, then so long as routing is in place you should be able to get it to work.
@@NetworkWizkid Both 9200 L's are not configured as L3. The error I'm getting when trying to see the routes are "gateway of last resort is not set"
That's why you are getting the message you are seeing. The switch needs to be able to route the traffic to the destination. Maybe the easier option would be to place a device behind the switch to route to the default gateway and then configure the interesting traffic on the router.