Tuesday, July 12, 2016

EZ-VPN on a ASA-5508-X

I've recently had to migrate a dated ASA-5505 to a ASA-5508-X. In theory the config should be compatible. In reality a lot of unused stuff has accumulated over the years. And it was deemed a spring-cleaning was in order. So the config was re-created on the new box.
Having both boxes running side-by-side and being able to match the config makes this relatively easy. There was only one thing that had me stumped. Disclaimer: IANACCSE (I Am Not A Cisco Certified Something Enginner)

On the old ASA-5505 EZVPN was being liberally used with hardware clients to create site-to-site tunnels. This is a very common use case when dealing with double-NAT and/or dynamic IPs. As the name suggests, configuring it is rather "easy".
So you can imagine that I was stumped when the EZVPN tunnels would not come up on the 5508-X, despite mirroring the configuration.

In the log I saw errors like these:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy a.b.c.d... 
Session is being torn down. Reason: crypto map policy not found... 
This is EZVPN after all, so there is no need to create a specific crypto-map. Or so I thought. Well think again. Apparently there is a default crypto-map on the ASAs that matches any traffic. This dynamic crypto-map does not exist in the default config on a 5508-X running 9.6(1) apparently.

So i had to create it manually, but then it matched literally any traffic. So in the end I had to create a specific crypto-map for each EZVPN client. Well, that definitely makes the EZVPN less "easy"...

Here's the relevant parts of the config nonetheless:

access-list outside_cryptomap_65535.1 extended permit ip  
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 match address outside_cryptomap_65535.1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set ESP-3DES-SHA
Obviously this was created in ASDM, where I had to disable the default dynamic crypto map as well.

access-list outside_cryptomap_65535.65535 extended deny ip any4 any4
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535 
This then caused all traffic to flow regularly again.
What had me stumped is that ASDM did show a default dynamic policy, even though it clearly wasn't there in the config before. I have not tried to remove the match directive on the console, ASDM would not let me do that. So I had to disable it. YMMV.


Better create a specific crypto-map for your EZ-VPN peers if you use site-to-site tunnels, otherwise: no dice.


No comments: