ASA Reading - L2L and Remote Access VPNs

Decided to do some reading this morning before my lab time. Reading "Cisco ASA, All-in-one firewall, IPS, Anti-X and VPN Adaptive Security Appliance" by Jazib Frahim and Omar Santos. Overall, I have to say it's a good intermediate level book. It does not seem to get real deep into any one topic, but it covers enough on a very wide range of topics. 

• L2L Tunnels
• Modify ISAKMP keepalive parameters under tunnel-group
• Set Phase 1 mode (Agg, MM) under crypto map
• Timers also set by crypto map
• Enable management access across VPN tunnels with 'management-access INTERFACE' global command
• Set reverse-route with Crypto Map
• ASA,by default, allows fragmentation to occur before packets are encrypted. However, if DF is set, the ASA retains the DF bit. If large packets are sent through the ASA with DF bit, they are dropped. 
• You can clear the DF bit with 'crypto ipsec df-bit clear-df INTERFACE' global command.
• 'crypto ipsec fragmentation before-encryption INTERFACE' global command forces fragmentation before encryption, otherwise the remote end is responsible for re-assembly and defragmentation which is processor intensive
• Like IOS, you can set a debug condition - 'debug crypto condition peer 1.12.35.8'
• You can also monitor with the capture command
• capture NAME type isakmp interface outside
• show capture NAME decode
• Remote Access
• Group policies have inheritance
• Group policies are attached to tunnel groups
• group-policy IPSecPolicyName internal
• group-policy IPSecPolicyName attributes
• vpn-tunnel-protocol IPSec
• tunnel-group GroupName type remote-access
• tunnel-group GroupName general-attributes
• default-group-policy IPSecPolicyName
• tunnel-group GroupName ipsec-attributes
• pre-shared-key C!$c0K3y
• Define RADIUS server for authentication
• aaa-server Radius protocol radius
• aaa-server Radius (inside) host 1.12.35.8
• key C1$c0K3y
• exit
• tunnel-group GroupName general-attributes
• authentication-server-group Radius
• Address assignment
• Local
• ip local pool IPPool 1.1.1.1-1.1.1.254 mask 255.255.255.0
• group-policy IPSecPolicyName attributes
• address-pools value IPPool
• You can also link pool to tunnel group - group-policy is preferred.
• DHCP
• vpn-addr-assign dhcp
• tunnel-group GroupName general-attributes
• dhcp-server 1.0.0.10
• Dynamic Crypto Map
• Required remote remote hosts have dynamic addresses
• Automatically created when you enable isakmp
• crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535
• Must set transform set
• Attach to outside crypto map
• crypto map outside_map 65535 ipsec-isaskmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
• Finally, attach to interface
• crypto map outside_map interface outside
• Access Filtering
• You can attach ACL to group policy
• group-policy IPSecPolicyName attributes
• vpn-filter value ACL_NAME
• Split Tunneling
• Attached to group-policy. You can define the split-tunnel ACL and the split-tunnel policy
• group-policy-IPSecPolicyName attributes
• split-tunnel-policy tunnelspecified
• split-tunnel-network-list value SplitTunnelACL
• Can also assign DNS and Wins via group-policy attributes
• VPN Load Balancing
• ASA devices have a priority ie; 5510 is 2, 5580 is 10. Higher wins. If same priority powered up at same time, lowest IP becomes master
• Virtual IP
• Clients must support IKE redirect
• vpn load-balancing
• priority 6
• cluster key C1$c0K3y
• cluster ip address 10.0.0.1
• cluster encryption
• participate
• ISAKMP must be enabled on all devices/interfaces participating in load balancing