ASA replacing PIX

Hi Gary,

vpdn command

The vpdn command was removed because support for L2TP/PPTP/PPPoE was removed in PIX Security appliance Version 7.0.

The configuration of old VPDN objects at the group level is accomplished via the tunnel-group and group-policy commands.

Hope this helps.

Brad Reese BradReese.Com - Cisco Power Supply Headquarters

Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 AIM: R2MGrant BradReese.Com - Cisco Network Engineer Directory

That doc simply says vpdn vpdn group

pptp echo Not supported PPTP is not supported in PIX Security appliance Version 7.0

vpdn group accept dialin l2tp Not supported L2TP and L2TP over IPSec are not supported in PIX Security appliance Version 7.0.

vpdn group accept dialin pptp Not supported PPTP is not supported in PIX Security appliance Version 7.0

What functionality replaces this???

Gary

It depends what you mean by 'vpdn'.

There is no support for PPTP in any PIX 7.x version so far.

PIX 7.2 added back in support for PPPoE and L2TP over IPSec, neither of which are supported in 7.0 or 7.1; the 7.2 release notes has more information.

Everything else relevant to vpdn was merged into the modular cypto policy framework, such as the tunnel-group command. The conversions are outlined in the documention guiding the transition between

6.x and 7.0.

If you could be a bit more specific about the vpdn functionality you need, we might be able to tell you the new commands.

Of course. None of this config would load inti V7 ASA

vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username gary password gary vpdn enable outside terminal width 80

You can't do any of the above in PIX or ASA 7.0, 7.1, or 7.2 -- there is no pptp support at all.

There is local user authentication, but that's not a big issue compared to the above.

Table 17 Changes in the vpngroup Command Command PIX Version 6.3 PIX Security appliance Version 7.0 Notes vpngroup vpngroup

address-pool tunnel-group type ipsec-l2l

tunnel-group general-attributes

address-pool [(interface name)] [...]

Converted to tunnel-group syntax

vpngroup

authentication-server Not supported Used on PIX Version 6.3 to pass a AAA server address for Individual User Authentication (IUA), a feature used on the hardware client; PIX Security appliance Version 7.0 proxies the AAA request for the hardware client, and therefore always sends its own address.

vpngroup backup-server

{ [ ... ]} | clear-client-cfg} In the group-policy attribute configuration mode:

[no] backup-servers | clear-client-config | keep-client-config

Converted to group-policy syntax

vpngroup

default-domain In the group-policy attribute configuration mode:

[no] default-domain value

Converted to group-policy syntax

vpngroup device-pass-through In the group-policy attribute configuration mode:

ip-phone-bypass

leap-bypass

Converted to group-policy syntax.

The IUA exemption is no longer MAC address based. The administrator can choose to exempt Cisco IP Phones and/or any LEAP data from Individual User Authentication.

vpngroup

dns-server [] In the group-policy attribute configuration mode:

[no] dns-server value [ip_address]

Converted to group-policy syntax

vpngroup

idle-time In the group-policy attribute configuration mode:

[no] vpn-idle-timeout | none

Converted to group-policy syntax

vpngroup

max-time In the group-policy attribute configuration mode:

[no] vpn-session-timeout | none

Converted to group-policy syntax

vpngroup

password tunnel-group type ipsec-ra

tunnel-group ipsec-attributes

pre-shared-key

Converted to tunnel-group syntax

vpngroup pfs In the group-policy attribute configuration mode:

pfs

Converted to group-policy syntax

vpngroup

secure-unit-authentication In the group-policy attribute configuration mode:

secure-unit-authentication

Converted to group-policy syntax

vpngroup

split-dns

[ ... ] In the group-policy attribute configuration mode: [no] split-dns value

Converted to group-policy syntax

vpngroup split-tunnel In the group-policy attribute configuration mode:

[no] split-tunnel-network-list value

Converted to group-policy syntax

vpngroup user-authentication In the group-policy attribute configuration mode:

user-authentication

Converted to group-policy syntax

vpngroup

user-idle-timeout In the group-policy attribute configuration mode:

[no] user-authentication-idle-timeout | none

Converted to group-policy syntax

vpngroup

wins-server [] In the group-policy attribute configuration mode:

[no] wins-server value [ip_address]

Converted to group-policy syntax

show vpngroup [] show running-config [default] tunnel-group [ [general-attributes | ipsec-attributes | ppp-attributes]]

show running-config [default] group-policy [ [attributes]]

Converted to tunnel-group and group-policy syntax; both commands are used to replace the vpngroup command.

Change Impact This section describes the impact that the changes will have on the CLI commands in PIX Security appliance Version 7.0.

=B7Trustpoints-The concept and syntax of a trustpoint are new for PIX Security appliance Version 7.0. A trustpoint consists of a CA certificate/identity certificate pair and allows the configuration and use of multiple CA certificates and therefore multiple identity certificates on PIX Security appliance Version 7.0. PIX Version 6.3 only supported the configuration and use of a single identity certificate. The following is an example of how the CLI has changed:

PIX Version 6.3 syntax:

ca identity myca 10.10.10.100 10.10.10.110

ca configure myca ca 3 3

The PIX Security appliance Version 7.0 syntax:

crypto ca trustpoint myca

enroll url 10.10.10.100

enrollment mode ca

enrollment retry period 3

enrollment retry count 3

crl required

crl

ldap_defaults 10.10.10.110

exit

exit

=B7Group Management-The vpngroup command is being replaced by the tunnel-group and group-policy commands. The split of configuration data between the tunnel-group and group-policy is intended to facilitate the sharing of group policies. The tunnel group is generally tied to a VPN peer or group of peers. The group policy is then applied to either a single tunnel group or several tunnel groups. An additional benefit is that the group policy can be stored or maintained on an external policy server. All uses of the vpngroup command automatically convert to tunnel-group and group-policy commands. Here is an example of some vpngroup commands converted to the new syntax:

PIX Version 6.3 syntax:

vpngroup group1 address-pool pool1

vpngroup group1 password mypassword

The PIX Security appliance Version 7.0 syntax:

tunnel-group group1 type ipsec-ra

tunnel-group group1 general-attributes

address-pool pool1

tunnel-group group1 ipsec-attributes

pre-shared-key mypassword

PIX Version 6.3 syntax:

crypto map map_name client authenticate aaa_server_group_name

The PIX Security appliance Version 7.0 syntax:

tunnel-group group1 type ipsec-ra

tunnel-group group1 general-attributes

authentication-server-group myservergroup

=B7PPP User Configuration-The configuration of PPP users through the vpdn command is no longer supported, and the command is not supported in PIX Security appliance Version 7.0.

=B7Remote Peers- After upgrading from PIX Version 6.3 to PIX Security appliance Version 7.0, connections fail on the PIX terminating the remote connections from the IOS peers on the dynamic crypto map with certificates. The solution is to change the configuration to force the connecting IOS peers into the ipsec-l2l group.

The following example shows the output when you enter the debug crypto isakmp 50 command, after you perform an upgrade to PIX Security appliance Version 7.0:

.=2E.

[IKEv1], IP =3D x.x.x.x , Connection landed on tunnel_group DefaultRAGroup [IKEv1], Group =3D DefaultRAGroup, IP =3D x.x.x.x Xauth

required but selected Proposal does not support xauth, Check

priorities of ike xauth proposals in ike proposal list,

.=2E.

=B7Xauth Disabled/Enabled-In PIX Version 6.3, Xauth was disabled by default for dynamic or remote access (client) tunnels, so unless you were using Xauth, there would be no indication of it in your configuration. When you upgrade to PIX Security appliance Version 7.0, the default remote access tunnel-group has Xauth enabled by default, and attempts to authenticate tunnels to the local database. PIX Version

6=2E3 if you terminate dynamic VPN tunnels without Xauth, you must add the following information to your configuration after upgrading to stop Xauth:

For the default group:

tunnel-group DefaultRAGroup general-attributes

authentication-server-group none

If any additional tunnel-groups were converted, you should add the following command to each tunnel-group:

tunnel-group general-attributes

authentication-server-group none

Brad Reese Cisco Repair

Do I assume I leave the old PIX in place just for this - Did Cisco just forget about this? What do others do to get round this issue?

Gary

I don't think Cisco has forgotten about it, but I haven't a clue as to why they did not support PPTP. (Mind you, I have only a dim clue as to why they bothered to support PPTP anyhow, seeing as doing so encourages continued use of Microsoft operating systems...)

SSL VPNs?

Need something that will work from any Internet Cafe in the world.

Thanks - Will work it out somehow,

Gary

You can't count on the Microsoft VPN client being installed.

There are two kinds of SSL VPNs. One of the two should work over any https connection. It would be unusual for internet cafes to block https.

How do I get a VPN up from an INternet cafe without loading say Cisco VPN client?

Gary

WebVPN