Sample Config for VPN set up needed for ASA on aggressive mode with UFQDN as the ike Identity

cisco
vpn

(Ganesh S) #1

Hi Team,

I have an account where the Cx is saying that he cannot establish a VPN tunnel from Cisco ASA to Zscaler with UFQDN(name@domain.com) since the box does not support the same.

He did get an update from Cisco TAC that this feature is only available for anyconnect.

“Hi Dominik,
I’m sorry, I was tied to another call, let me know if you are available now, I was calling you but I couldn’t reach you, the gateway-fqdn command is for load balancing for anyconnect.
Kind Regards,
David Leal
Cisco TAC”

This is the version on his box :
a00gk07/Internet# show ver | i Ver
Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 7.2(2)1

I would really appreciate if we could have a sample config (if possible on for the ASA on this particular version) to share the data with him since this is very critical for us to proceed to the next step.

Appreciate your efforts!

Regards,
Ganesh


(Brian Jean) #2

Hi Ganesh,

I’m doing aggressive mode to Zscaler from an ASA at my house.
Take a look at the below config. The key command for this s “crypto isakmp identity key-d user@fqdn.com”.

ASA Version 9.5(2)
!
!
!sample ASA config to build tunnels to NYC and Washington DC Zens

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet1/3
! meaningful traffic 10.10.11.0/24 and 10.10.12.0/24 will
! enter the ASA on this interface
nameif wlan
security-level 90
ip address 10.10.0.1 255.255.255.0
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
!
! This ACL much match networks that should use VPN to ZScaler for Internet Access
access-list outside_cryptomap extended permit ip 10.10.11.0 255.255.255.0 object obj_any
access-list outside_cryptomap extended permit ip 10.10.12.0 255.255.255.0 object obj_any
!
nat (inside,outside) source dynamic any interface
!need to disable NAT from networks you want to forward through IPSEC tunnel to Zscaler
!This example forwards traffic from interface WLAN hence no NAT statement for WLAN interface.
!
!No need to to encrypt ESP traffic to Zscaler since it’s bound for Internet
crypto ipsec ikev1 transform-set transform-zen esp-null esp-md5-hmac

!Crypto map combines tunnel peers, transform set, ike/ipsec parameters
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set connection-type originate-only
crypto map outside_map0 1 set peer 165.225.38.38 104.129.194.33
crypto map outside_map0 1 set ikev1 phase1-mode aggressive
crypto map outside_map0 1 set ikev1 transform-set transform-zen
crypto map outside_map0 interface outside

!Following statement tells ASA to send UFQDN configured in Zscaler Admin portal as userID for Auth
crypto isakmp identity key-id user@zscaler_instance_fqdn
!Enable IKEv1 on outside Interface (facing Internet)
crypto ikev1 enable outside
!configure IKE policy
crypto ikev1 policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy Zscaler-GRP internal
group-policy Zscaler-GRP attributes
vpn-tunnel-protocol ikev1
!
!NYC ZEN
tunnel-group 199.168.151.130 type ipsec-l2l
tunnel-group 199.168.151.130 general-attributes
default-group-policy Zscaler-GRP
tunnel-group 199.168.151.130 ipsec-attributes
!Key must match password defined in Zscaler Portal for UFQDN IPSEC user
ikev1 pre-shared-key *****
!
!DC ZEN
tunnel-group 104.129.194.33 type ipsec-l2l
tunnel-group 104.129.194.33 general-attributes
default-group-policy Zscaler-GRP
tunnel-group 104.129.194.33 ipsec-attributes
!Key must match password defined in Zscaler Portal for UFQDN IPSEC user
ikev1 pre-shared-key *****
!
: end


(Ramesh M) #3

Hi,
I guess the command "crypto isakmp identity key-id " is global cconfiguration and which will affect the tunnel behaviours.

Regards / Ramesh M


(Ganesh S) #4

Hi Team,

As mentioned by Ramesh, this is a global change on the box and there is a device limitation on Cisco to have more than one tunnel with unique UFQDNs.

Nevertheless, thanks for all your help.

Regards,
Ganesh