Configuring VPN's in the Real World

Eildor · July 2013

Do people configure VPN's via the GUI, or CLI? It seems like a lot of effort to use the CLI, and much more likely you'll end up making a mistake... how's it done in the "real world"?

networker050184 · July 2013

Usually CLI if done on routers, some ASA admins like the GUI though. When you are doing it by CLI you are usually going to have a template that you just pop in the IPs and key and it's good to go. No need to manually type it all out every time.

Eildor · July 2013

So would you recommend I memorise all of the commands then? Because if I'm going to have to troubleshoot via the CLI I'll need to pretty much know all of the commands.

Mrock4 · July 2013

Right on with networker, CLI on routers, ASDM on ASA's (I actually love ASDM, despite it's quirkiness with some java versions). It's good to know the CLI either way..so if you get locked out of ASDM for some reason, you're not hopeless!

powmia · July 2013

What's a GUI?

Eildor · July 2013

GUI as in Graphical User Interface, such as the interface provided by CSM, ASDM, CCP. But you already knew that

gregorio323 · July 2013

Powmia I think its a service module you pop in a 6509-E?

still searching for the use of it! I'll get back to you on that!

powmia wrote: »

What's a GUI?

Mrock4 · July 2013

powmia wrote: »

What's a GUI?

It's that thing that lets you configure a VPN a LOT faster than CLI

I have no shame, I am not an ASA guru, but I have both installed and maintained ASAs, and for installs, CLI would be OK, but for production, maintaining rulesets via CLI would be much more error prone, and frankly a headache, ESPECIALLY if you're using complex rulesets (ie: permit group A ports SERVICE_GROUP_A -> group B ports SERVICE_GROUP_B, etc). I'm a die-hard CLI guy, but I make exceptions with ASA's!

RouteMyPacket · July 2013

What I find funny is that in the handful of times I have configured VPN's on ASA's I have done them via ASDM but never once used the VPN Wizard. I had never seen the wizard until i started down the Security track. lulz

Speaking of GUI, Cisco putting CCP on their exams is a pathetic joke. Not real world at all..sorry for that rant. lol

gorebrush · July 2013

ASDM is actually really slick. The packet tracer type functionality is very useful when troubleshooting too.

However, nothing beats a CLI IMO TBH.

powmia · July 2013

You can trace the flow of packets through an ASA via CLI too, in fact I didn't know you could do that through the GUI. I do agree, maintaining rules isn't feasible outside of ASDM. I'm stuck in my ways with CLI for everything else though... just a preference, nothing more.

Master Of Puppets · July 2013

powmia wrote: »

You can trace the flow of packets through an ASA via CLI too, in fact I didn't know you could do that through the GUI. I do agree, maintaining rules isn't feasible outside of ASDM. I'm stuck in my ways with CLI for everything else though... just a preference, nothing more.

Same here. I don't like GUIs. I always use the CLI. Actually, I have used ASDM only a couple of times

Usually when time is short.

blueberries · July 2013

Powmia is playing with you guys.

Setting up a decent vpn in CLI is child's play, especially something as simple as a GRE tunnel with IPSEC. DMVPN design gets really fun, and it only needs an extra command or three.

xXErebuS · July 2013

CLI for site to site; ASDM/GUI for RA. VPN isn't what you have to worry about; its when you get a PIX or pre 8.3 ASA and have to upgrade it - you'll see what I mean lol.

xXErebuS · July 2013

powmia wrote: »

What's a GUI?

Really, I would think that someone with their CCIE would know what a GUI is.

GUI:

Glowing Underwear Inside

powmia · July 2013

Ahhh, so that's what's powering our SDN controllers!

xXErebuS · July 2013

powmia wrote: »

Ahhh, so that's what's powering our SDN controllers!

Lets not use that term, people will start freakin' out. IDK what setup your referring to but if it has the words _CS with a bank of W/N in it I found scripting CLI is still quicker for a lot of tasks.

Templates are nice though =/

Zartanasaurus · July 2013

I do it in ASDM, but I should learn to do it in CLI. I do almost everything ASA related in ASDM because that's how I learned to operate the ASA initially. I do nat configurations at the CLI though.

TheNewITGuy · July 2013

CLI mostly but the ASDM interface allows you to quickly create them too if you dont use the wizard. If you go into "Connection Profiles" under Configuration/VPN area and create a new one it does 90% of the work for you. I hate the wizard especially with the default DM_INLINE_1 crap it uses.

aaron0011 · July 2013

Majority of the VPNs we do are EZVPN from ASAs to ISRs and we do them via CLI. As networker mentioned above, we have templates built to plug in for time savings and to eliminate manual entry errors.

RouteMyPacket · July 2013

I'm going to be looking at a huge ASA migration tomorrow, CLI or ASDM is the question. I mean it's over 9,000 ACL's, 31,000 Objects among other things. lulz

xXErebuS · July 2013

ASA to ASA? What versions?

RouteMyPacket · July 2013

5550's to 5585's v8.4 looks like

xXErebuS · July 2013

v8.4 5550? <-- if so I see now that you're being truly sarcastic =D

RouteMyPacket · July 2013

?

5585's will run 8.4

megatran808 · July 2013

I've only done CLI VPN configuration on ASA and routers. Hardly used ASDM. I think it really depends on the work place. Just gotten used to using the CLI.

xXErebuS · August 2013

RouteMyPacket wrote: »

?

5585's will run 8.4

I was asking if the 5550 was 8.4 already.

RouteMyPacket · August 2013

No, 5550's 8.2(3) to 5585's 8.4(6)

xXErebuS · August 2013

Have you done a pre 8.3 to 8.3+ before?

Eildor · August 2013

Interesting... thanks guys!

Kreken · August 2013

On ASA, I used ASDM, on router - cli.

Configuring VPN's in the Real World

Comments