Comments on: Understanding how ASA Firewall matches Tunnel-Group Names http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/ Helping you become a Cisco Certified Internetwork Expert Tue, 07 Feb 2012 02:21:38 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: mirofahmy http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-362029 mirofahmy Sat, 30 Jul 2011 14:37:40 +0000 http://blog.ine.com/?p=1062#comment-362029 Dear Petr the problem inundrstand the topic that is not clear where vpn use MAIN mode or aggrisive mode we need to identify that exactly with both preshared and certificate we need to final that second that is clear with ASA what about normal IOS Dear Petr

the problem inundrstand the topic
that is not clear where vpn use MAIN mode or aggrisive mode
we need to identify that exactly

with both preshared and certificate
we need to final that

second
that is clear with ASA
what about normal IOS

]]> By: Mahesh http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-279159 Mahesh Fri, 06 May 2011 04:34:43 +0000 http://blog.ine.com/?p=1062#comment-279159 Guys, Could you please help me on below error: "Tunnel group search using certificate maps failed for peer certificate" Guys,

Could you please help me on below error:

“Tunnel group search using certificate maps failed for peer certificate”

]]> By: Chris Miller http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-93236 Chris Miller Wed, 10 Feb 2010 09:32:22 +0000 http://blog.ine.com/?p=1062#comment-93236 Fantastic essay, this helped me understand the tunnel-group process well enough to get a mixed static/dynamic tunnel config working on our ASA's /wave Fantastic essay, this helped me understand the tunnel-group process well enough to get a mixed static/dynamic tunnel config working on our ASA’s

/wave

]]> By: tacack http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-73392 tacack Tue, 20 Oct 2009 00:48:00 +0000 http://blog.ine.com/?p=1062#comment-73392 Great resource Petr! This always acts as a quick reference or cheatsheet when i forget about certificates and tunnel-groups! However, i'd be super glad if you write an article on matching hostnames in aggressive mode? Because i tried labbing that many times and it doesn't work as expected. Just a sample config/explanation would be awesome! :) Cheers! Great resource Petr!

This always acts as a quick reference or cheatsheet when i forget about certificates and tunnel-groups!

However, i’d be super glad if you write an article on matching hostnames in aggressive mode? Because i tried labbing that many times and it doesn’t work as expected.

Just a sample config/explanation would be awesome! :)

Cheers!

]]> By: Stuart Hare http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-57419 Stuart Hare Mon, 20 Jul 2009 21:16:50 +0000 http://blog.ine.com/?p=1062#comment-57419 A great post Petr. Finally an explanation as to why my custom tunnel groups have not matched and I have had to configure the default group and policy for RAVPN to work. Stu A great post Petr.

Finally an explanation as to why my custom tunnel groups have not matched and I have had to configure the default group and policy for RAVPN to work.

Stu

]]> By: Understanding External Easy VPN Authorization - CCIE Blog http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-48018 Understanding External Easy VPN Authorization - CCIE Blog Mon, 18 May 2009 17:32:41 +0000 http://blog.ine.com/?p=1062#comment-48018 [...] defined in the system. You may find the description of the procedure used by the ASA firewalls here Understanding how ASA Firewall Matching tunnel-group Names . IOS router use similar procedure, which is somewhat simplified when using just ezVPN clients. As [...] [...] defined in the system. You may find the description of the procedure used by the ASA firewalls here Understanding how ASA Firewall Matching tunnel-group Names . IOS router use similar procedure, which is somewhat simplified when using just ezVPN clients. As [...]

]]> By: A hét érdekeségei - April 30, 2009 | xcke's blog http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-44816 A hét érdekeségei - April 30, 2009 | xcke's blog Thu, 30 Apr 2009 08:33:54 +0000 http://blog.ine.com/?p=1062#comment-44816 [...] Understanding how ASA Firewall matches Tunnel-Group Names [...] [...] Understanding how ASA Firewall matches Tunnel-Group Names [...]

]]> By: Piotr Kaluzny http://blog.ine.com/2009/04/19/understanding-how-asa-firewall-matches-tunnel-group-names/#comment-42817 Piotr Kaluzny Mon, 20 Apr 2009 15:12:06 +0000 http://blog.ine.com/?p=1062#comment-42817 Good Day, I wish you posted this few months ago. It would have saved me few days trying to figure out the differences between src ISAKMP packet IP, IKE_ID, MM with PSK etc... Could not have realized why we can't match based on IKE_ID in MM with PSK - after all IKE_ID shows in the 4-th packet along with HASH_I. And this is all because of DH which happens before Auth Phase. By the way, did you find any difference between setting Request ISAKMP profile like in this post and via "set" inside the profile? Thanks, Piotr Kaluzny Good Day,

I wish you posted this few months ago. It would have saved me few days trying to figure out the differences between src ISAKMP packet IP, IKE_ID, MM with PSK etc… Could not have realized why we can’t match based on IKE_ID in MM with PSK – after all IKE_ID shows in the 4-th packet along with HASH_I. And this is all because of DH which happens before Auth Phase.

By the way, did you find any difference between setting Request ISAKMP profile like in this post and via “set” inside the profile?

Thanks,
Piotr Kaluzny

]]>