I am working on a project right now to decommission an older VPN3k and install an ASA5520 to act as a VPN Concentrator. While working on this project I figured it would be a good time to train some junior admins in the finer points of VPN tunnels. So we started the project off by getting all of the users moved to the new device, luckily we were using hostnames for the destination and the same IPsec client was going to work for everyone. We aren’t ready to upgrade to Anyconnect yet and probably won’t do that until after the new year. All of the Remote Access users have been moved and we cleaned up the stragglers who did have a hardcoded IP.
Now on to the fun part of moving over site to site VPN tunnels. We use VPN tunnels to allow our external vendors access into our systems to help us and support their software. We have quite a few tunnels. So this is where the fun comes in. I am trying to teach the junior admins how to build a tunnel manually on the ASA in 8.4 code and they come across the ASDM and the tunnel wizard. They think this is the greatest thing and figure they can do all of their work with this and bypass that messy command line.
I say to them neigh neigh, the command line is always important and if you don’t understand what commands are being put in by the wizard how can you fix it if it breaks. They look at me with the look of whatever, it’s here so it must work.
I decide that a test is in order, so I gave them a tunnel to move and someone to work with on the tunnel at the remote site. I let them use the fancy wizard to do their work instead of the command line. So as they are going through the point and click interface they mess up and flub the ip address for the local side. I ignore the flub and allow them to continue going forward just to see what they do. They start testing with the remote peer and don’t understand why the tunnel won’t come up. They look at it and then they double check their work and realize they flubbed the ip range on the local side. So they figure that if they just change it in IPsec configuration then it will magically start working. Well 20 minutes later they are still questioning why it isn’t working, and I ask the question of do you know what the wizard did? Now they look at me blankly…..
What ended up happening is that when the wizard is run it creates the NAT entry on the firewall so that the interesting traffic is bypassed for NAT and allowed to go through the tunnel. Once the wizard is done however any changes to the IPSec Tunnel Group require manual NAT entry changes because just changing the tunnel group doesn’t update anything else.
Key learning for the junior admins, wizards are nice and can make life easy. However know all of the steps involved and how to fix it on the command line in case something goes wrong.