IPsec VPN Configuration Example: Cisco ASA 5505


IPsec VPN Configuration Example: Cisco ASA 5505

This example illustrates how to configure two IPsec VPN tunnels between a Cisco ASA 5505 firewall and two ZENs in the Zscaler cloud: a primary tunnel from the ASA appliance to a ZEN in one data center, and a secondary tunnel from the ASA appliance to a ZEN in another data center.

NOTE: Zscaler IPsec tunnels support a soft limit of 200 Mbps per tunnel. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends you configure more IPsec VPN tunnels as needed. For example, if you organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two secondary VPN tunnels. If your organization processes 600 Mbps of traffic, you would configure three primary VPN tunnels and three secondary VPN tunnels.

Organizations typically forward all traffic destined for any port to the Zscaler service. Alternatively, you can limit the traffic that you forward to the service to HTTP and HTTPS traffic (traffic destined for port 80 and port 443). Regardless, tunneling provides visibility into the internal IP addresses, which can be used for the Zscaler security policies and logging.

Prerequisites

Before you configure the Zscaler service and the firewall, open a support ticket to provision the public source IP address. The public source IP address is only required if you want to set up an IPSec tunnel in phase one main mode.

Additionally, ensure that you have the following:

Configure the Zscaler Service

Log in to the Zscaler service and do the following:

A. Enter the VPN credentials.

  1. Go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose IP, and then choose the gateway IP address  that was given to Zscaler beforehand.
    • Enter the pre-shared key in the text box and confirmation box.
  3. Click Save and activate the change.

B. Link the VPN credentials to a location.

  1. Go to Administration > Resources > Locations.
  2. Edit the location and do the following:
    • Enter the location name.
    • Click the down arrow beside VPN Credentials and choose the IP address.
  3. Click Save and activate the change.

Configure the Cisco ASA 5505 Firewall

This section provides sample commands for configuring two IPsec VPN tunnel interfaces on a Cisco ASA 5505 firewall. It provides configuration and troubleshooting commands for ASA versions 8.2, 8.3, 9.0, and 9.2.

Refer to the Cisco documentation for information about the commands.

CLI Configuration for ASA Version 9.2

Following is the configuration for the two tunnels. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. The following text in red represent the values that your organization needs to provide, based on your network setup.

  • outside_interface - External interface of the ASA
  • zen_vpn_map - Outside crypto map
  • zen_ip_1 and zen_ip_2 - ZEN IP addresses (See how to locate the ZEN IP addresses under Prerequisites above.)
  • password_here - Password set by your organization in the Zscaler interface
  • int_server_ip - Public IP address of any internal web server hosted behind the corporate’s firewall that needs to be accessed from outside

NOTE: A Cisco ASA can create a different Phase 2 tunnel for each unique subnet for a given Phase 1 tunnel. This results in multiple Phase 2 SAs with a single Phase 1 SA. Zscaler supports up to eight Phase 2 Security Associations (SAs). This configuration example illustrates how to configure multiple Phase 2 SAs.

#1: Internet Key Exchange (IKE) Configuration

Establish a policy for the supported ISAKMP encryption, authentication Diffie-Hellman, lifetime and key parameters. Note that there is a global list of ISAKMP policies, each identified by sequence number.

IMPORTANT: This policy is defined as #1, which may conflict with an existing policy. If so, Zscaler recommends changing your existing policy number because the #1 policy must be the Zscaler policy. Otherwise, the tunnel negotiations will fail.

crypto ikev1 identity address  
crypto ikev1 enable outside_interface
crypto ikev1 policy 1  
  encryption aes128  
  authentication pre-share
  hash md5  
  group 2  
  lifetime 86400  
exit 

The following group policy links the vpn tunnel protocol with the above-defined crypto policy.

group-policy Zscaler-GRP internal
group-policy Zscaler-GRP attributes
	vpn-tunnel-protocol ikev1

The tunnel group sets the pre-shared key that is used to authenticate the tunnel endpoints.

tunnel-group zen_ip_1 type ipsec-l2l 
tunnel-group zen_ip_1 general-attributes    
	default-group-policy Zscaler-GRP
tunnel-group zen_ip_1 ipsec-attributes    
	ikev1 pre-shared-key password_here
! 
tunnel-group zen_ip_2 type ipsec-l2l 
tunnel-group zen_ip_2 general-attributes    
	default-group-policy Zscaler-GRP
tunnel-group zen_ip_2 ipsec-attributes    
	ikev1 pre-shared-key password_here

#2: Access List Configuration

Access lists are configured to permit the creation of tunnels and to send relevant traffic over them. You must define the appropriate set of IP addresses that will flow through the tunnel. You can also create objects with the range of all public IP addresses that should not flow through the tunnel. One such example would be an internally hosted Web server.

Zscaler supports up to eight  Phase 2 SAs. One SA is used for the connection between the Cisco ASA’s public IP address and the ZEN. You can then configure seven subnets to flow through the tunnel, forming the remaining seven SAs. If you have more than seven subnets with traffic that flow through the tunnel, you will need to combine the remaining subnets into one supernet, so there is only one allow statement for the access list attached to the cryptomap. (See the configuration example for version 9.0 below.)

Note that if you create two “permit” rules for one subnet, that will consume 2 SAs. Also, a single subnet cannot have “ip” and another protocol associated with it. The following example is not allowed

access-list Zscaler_MAP extended permit ip 172.16.0.0 255.255.255.0 any
access-list Zscaler_MAP extended permit tcp 172.16.0.0 255.255.255.0 any

The following access list named Zscaler_MAP specifies all traffic that needs to be routed to the ZEN. Traffic is transmitted through the tunnel to the ZEN. Association with the IPsec SA is done through the "crypto map" command. Deny traffic should deny all public IP ranges used for ‘NAT’ting.

access-list Zscaler_MAP extended deny icmp 172.16.0.0 255.255.255.0 any
access-list Zscaler_MAP extended deny ip 172.16.0.0 255.255.255.0 any
access-list Zscaler_MAP extended permit icmp 10.84.0.0 255.255.255.0 any
access-list Zscaler_MAP extended permit tcp 10.84.0.0 255.255.255.0 any
access-list Zscaler_MAP extended permit ip 192.168.0.0 255.255.255.0 any

#3: IPsec Configuration

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

NOTE: Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in the example below, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and use the command "esp-aes".

crypto ipsec ikev1 transform-set transform-zen esp-null esp-md5-hmac

The crypto map references the IPsec transform-set and further defines the Diffie-Hellman group and SA lifetime. You don't need to change the default SA lifetime value, which is 8 hours (28800 seconds), because it is the same as the Zscaler recommended value for Phase 2.

The mapping is created as #65000, which may conflict with an existing crypto map using the same number. If so, Zscaler recommends changing the mapping number to avoid conflicts. Note that this crypto map should ideally be defined as the last map. If your corporation has RASVPN or SSLVPN crypto maps, then the Zscaler crypto map configuration should be just before them.

crypto map zen-vpn-map 65000 match address Zscaler_MAP
crypto map zen-vpn-map 65000 set connection-type originate-only 
crypto map zen-vpn-map 65000 set peer zen_ip_1 zen_ip_2
crypto map zen-vpn-map 65000 set ikev1 phase1-mode aggressive 
crypto map zen-vpn-map 65000 set ikev1 transform-set transform-zen
crypto map zen-vpn-map interface outside_interface

#4: Port Filter

The Port Filter restricts traffic to specific ports that are permitted through the tunnels.

IMPORTANT: You can forward traffic destined for all ports. With this configuration, there is no need to create the following port or corresponding NAT rules. However, if you want to restrict traffic to port 80 and 443, then create the following objects and link them to their corresponding NAT rules.

object service http
	service tcp destination eq www
object service https
	service tcp destination eq https
exit 

#5: NAT Exemption

Perform NAT on any traffic that bypasses the Zscaler service. The traffic that flows through the tunnel must maintain its source IP address. If you are forwarding only port 80 and 443 traffic to Zscaler, then establish the following NAT rules.

nat (inside,outside) source static flow_traffic flow_traffic service http http
nat (inside,outside) source static flow_traffic flow_traffic service https https
nat (inside,outside) after-auto source dynamic any interface

CLI Configuration for ASA Version 9.0

Following is the configuration for the two tunnels. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. The following text in red represent the values that your organization needs to provide, based on your network setup.

  • outside_interface - External interface of the ASA
  • zen_vpn_map - Outside crypto map
  • zen_ip_1 and zen_ip_2 - ZEN IP addresses (See how to locate the ZEN IP addresses under Prerequisites above.)
  • flow_traffic_subnet and flow_traffic_subnet_mask - Superset of all the IP addresses that should flow through the tunnel
  • password_here - Password set by your organization in the Zscaler interface
  • int_server_ip - Public IP address of any internal web server hosted behind the corporate’s firewall that needs to be accessed from outside

#1: Internet Key Exchange (IKE) Configuration

Establish a policy for the supported ISAKMP encryption, authentication Diffie-Hellman, lifetime and key parameters. Note that there is a global list of ISAKMP policies, each identified by sequence number.

IMPORTANT: This policy is defined as #1, which may conflict with an existing policy. If so, Zscaler recommends changing your existing policy number because the #1 policy must be the Zscaler policy. Otherwise, the tunnel negotiations will fail.

crypto ikev1 identity address  
crypto ikev1 enable outside_interface 
crypto ikev1 policy 1  
  encryption aes1283  
  authentication pre-share
  hash md5  
  group 2  
  lifetime 86400  
exit 

The following group policy links the vpn tunnel protocol with the above-defined crypto policy.

group-policy Zscaler-GRP internal
group-policy Zscaler-GRP attributes
	vpn-tunnel-protocol ikev1

The tunnel group sets the pre-shared key that is used to authenticate the tunnel endpoints.

tunnel-group zen_ip_1 type ipsec-l2l 
tunnel-group zen_ip_1 general-attributes    
	default-group-policy Zscaler-GRP
tunnel-group zen_ip_1 ipsec-attributes    
	ikev1 pre-shared-key password_here
! 
tunnel-group zen_ip_2 type ipsec-l2l 
tunnel-group zen_ip_2 general-attributes    
	default-group-policy Zscaler-GRP
tunnel-group zen_ip_2 ipsec-attributes    
	ikev1 pre-shared-key password_here

#2: Access List Configuration

Access lists are configured to permit the creation of tunnels and to send relevant traffic over them.

NOTE: Zscaler supports up to eight Phase 2 SAs, as shown in the preceding example for version 9.2. One SA is used for the connection between the Cisco ASA’s public IP address and the ZEN. You can then configure seven subnets to flow through the tunnel, forming the remaining seven SAs. If you would like the traffic of more than seven subnets to flow through the tunnel, this example illustrates how to combine multiple subnets into one supernet, so there is only one allow statement for the access list attached to the cryptomap. In this example, the ASA sends all traffic down a single Phase 2 tunnel.

You should also create another object with the range of public IP addresses that should not flow through the tunnel. The example specifies an internally hosted Web server.

object network flow_traffic
	subnet flow_traffic_subnet flow_traffic_subnet_mask
object network deny_traffic
	host int_server_ip

The following access list named Zscaler_MAP specifies all traffic that needs to be routed to the ZEN. Traffic is transmitted through the tunnel to the ZEN. Association with the IPsec SA is done through the "crypto map" command. Deny traffic should deny all public IP ranges used for ‘NAT’ting.

access-list Zscaler_MAP extended deny ip object deny_traffic any  
access-list Zscaler_MAP extended permit ip object flow_traffic any 

#3: IPsec Configuration

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

NOTE:  Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in the example below, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and use the command "esp-aes".

crypto ipsec ikev1 transform-set transform-zen esp-null esp-md5-hmac  

The crypto map references the IPsec transform-set and further defines the Diffie-Hellman group and SA lifetime. You don't need to change the default SA lifetime value, which is 8 hours (28800 seconds), because it is the same as the Zscaler recommended value for Phase 2.

The mapping is created as #65000, which may conflict with an existing crypto map using the same number. If so, Zscaler recommends changing the mapping number to avoid conflicts. Note that this crypto map should ideally be defined as the last map. If your corporation has RASVPN or SSLVPN crypto maps, then the Zscaler crypto map configuration should be just before them.

crypto map zen-vpn-map 65000 match address Zscaler_MAP
crypto map zen-vpn-map 65000 set connection-type originate-only 
crypto map zen-vpn-map 65000 set peer zen_ip_1 zen_ip_2
crypto map zen-vpn-map 65000 set ikev1 phase1-mode aggressive 
crypto map zen-vpn-map 65000 set ikev1 transform-set transform-zen
crypto map zen-vpn-map interface outside_interface

#4: Port Filter

The Port Filter restricts traffic to specific ports that are permitted through the tunnels.

IMPORTANT: You can forward traffic destined for all ports. With this configuration, there is no need to create the following port or corresponding NAT rules. However, if you want to restrict traffic to port 80 and 443, then create the following objects and link them to their corresponding NAT rules.

object service http
	service tcp destination eq www
object service https
	service tcp destination eq https
exit 

#5: NAT Exemption

Perform NAT on any traffic that bypasses the Zscaler service. Traffic that flows through the tunnel must maintain its source IP address. If you are forwarding only port 80 and 443 traffic to Zscaler, then establish the following NAT rules.

nat (inside,outside) source static flow_traffic flow_traffic service http http
nat (inside,outside) source static flow_traffic flow_traffic service https https
nat (inside,outside) after-auto source dynamic any interface

CLI Configuration for ASA Version 8.3

Following is the configuration for the two tunnels. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. The following text in red represents the values that your organization needs to provide, based on your network setup.

  • outside_interface - External interface of the ASA
  • zen_vpn_map - Outside crypto map
  • zen_ip_1 and zen_ip_2 - ZEN IP addresses (See how to locate the ZEN IP addresses under Prerequisites above.)
  • flow_traffic_subnet and flow_traffic_subnet_mask - Superset of all the IP addresses that should flow through the tunnel
  • password_here - Password set by your organization in the Zscaler interface
  • int_server_ip - Public IP address of any internal web server hosted behind the corporate’s firewall that needs to be accessed from outside

#1: Internet Key Exchange (IKE) Configuration

Establish a policy for the supported ISAKMP encryption, authentication Diffie-Hellman, lifetime and key parameters. Note that there is a global list of ISAKMP policies, each identified by sequence number.

IMPORTANT: This policy is defined as #1, which may conflict with an existing policy. If so, we recommend changing your existing policy number to something else because the #1 policy must be the Zscaler policy. Otherwise, the tunnel negotiations will fail.

crypto isakmp enable outside_interface 
crypto isakmp policy 1 
	encryption aes128   
	authentication pre-share
	hash md5   
	group 2   
	lifetime 86400   
exit

The tunnel group sets the pre-shared key that is used to authenticate the tunnel endpoints.

tunnel-group zen_ip_1 type ipsec-l2l    
tunnel-group zen_ip_1 ipsec-attributes    
	pre-shared-key password_here
	peer-id-validate nocheck
	isakmp keepalive threshold 10 retry 5
tunnel-group zen_ip_2 type ipsec-l2l    
tunnel-group zen_ip_2 ipsec-attributes    
	pre-shared-key password_here
	peer-id-validate nocheck
	isakmp keepalive threshold 10 retry 5

#2: Access List Configuration

Access lists are configured to permit the creation of tunnels and to send relevant traffic over them. This example uses only one permit rule for the Phase 2 version of the tunnel. In the following commands, we create a superset of all the IP addresses that flow through the tunnel and define it in the flow_trafficnetwork object. You should also create another object with the range of all public IP addresses that should not flow through the tunnel, such as an internally hosted Web server.

object network flow_traffic
subnet flow_traffic_subnet flow_traffic_subnet_mask
object network deny_traffic
host int_server_ip

The following access list named Zscaler_MAP specifies all traffic that needs to be routed to the ZEN. Traffic is transmitted through the tunnel to the ZEN. Association with the IPsec security association is done through the "crypto map" command. Deny traffic should deny all public IP ranges used for ‘NAT’ting.

access-list Zscaler_MAP extended deny ip object deny_traffic any  
access-list Zscaler_MAP extended permit ip object flow_traffic any

#3: IPsec Configuration

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

NOTE: Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in the example below, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and use the command "esp-aes".

crypto ipsec transform-set transform-zen esp-null esp-md5-hmac

The crypto map references the IPsec transform-set and further defines the Diffie-Hellman group and security association lifetime. You don't need to change the default SA lifetime value, which is 8 hours (28800 seconds), because it is the same as the Zscaler recommended value for Phase 2.

The mapping is created as #65000, which may conflict with an existing crypto map using the same number. If so, Zscaler recommends changing the mapping number to avoid conflicts. Note that this crypto map should ideally be defined as the last map. If your corporation has RASVPN or SSLVPN crypto maps, then the Zscaler crypto map configuration should be just before them.

crypto ipsec security-association lifetime seconds 28800
crypto map zen-vpn-map 65000 match address Zscaler_MAP
crypto map zen-vpn-map 65000 set connection-type originate-only 
crypto map zen-vpn-map 65000 set peer zen_ip_1 zen_ip_2
crypto map zen-vpn-map 65000 set phase1-mode aggressive 
crypto map zen-vpn-map 65000 set security-association lifetime seconds 28800
crypto map zen-vpn-map 65000 set ikev1 transform-set transform-zen
crypto map zen-vpn-map interface outside_interface

#4: Port Filter

The Port Filter restricts traffic to specific ports that are permitted through the tunnels.

IMPORTANT: Customers can forward traffic destined for all ports. With this configuration, there is no need to create the following port or corresponding NAT rules. However, if you want to restrict traffic to port 80 and 443, then create the following objects and link them to their corresponding NAT rules.

object service http
	service tcp destination eq www
object service https
service tcp destination eq https
exit 

#5: NAT Exemption

Perform NAT on any traffic that bypasses the Zscaler service. Traffic that flows through the tunnel must maintain its source IP address. If you are forwarding only port 80 and 443 traffic to Zscaler, then establish the following NAT rules.

nat (any,any) source static flow_traffic flow_traffic service http http
nat (any,any) source static flow_traffic flow_traffic service https https
object network flow_traffic
	nat (any,any) dynamic interface

CLI Configuration for ASA Version 8.2

Following is the configuration for the two tunnels. Both tunnels must be configured at your gateway. Only a single tunnel is operational at any time. The second tunnel acts as a backup tunnel. The following text in red represents the values that your organization needs to provide, based on your network setup.

  • outside_interface - External interface of the ASA
  • zen_vpn_map - Outside crypto map
  • zen_ip_1 and zen_ip_2 - ZEN IP addresses (See how to locate the ZEN IP addresses under Prerequisites above.)
  • flow_traffic_subnet and flow_traffic_subnet_mask - Superset of all the IP addresses that should flow through the tunnel
  • password_here - Password set by your organization in the Zscaler interface
  • int_server_ip - Public IP address of any internal web server hosted behind the corporate’s firewall that needs to be accessed from outside

#1: Internet Key Exchange (IKE) Configuration

Establish a policy for the supported ISAKMP encryption, authentication Diffie-Hellman, lifetime and key parameters. Note that there is a global list of ISAKMP policies, each identified by sequence number.

IMPORTANT: This policy is defined as #1, which may conflict with an existing policy. If so, we recommend changing your existing policy number to something else because the #1 policy must be the Zscaler policy. Otherwise, the tunnel negotiations will fail.

crypto isakmp enable outside_interface 
crypto isakmp policy 1
	encryption aes128   
	authentication pre-share
	hash md5   
	group 2   
	lifetime 86400   
crypto isakmp nat-traversal 3600

The tunnel group sets the pre-shared key that is used to authenticate the tunnel endpoints.

tunnel-group zen_ip_1 type ipsec-l2l    
tunnel-group zen_ip_1 ipsec-attributes    
	pre-shared-key password_here
	peer-id-validate nocheck
	isakmp keepalive threshold 10 retry 5
tunnel-group zen_ip_2 type ipsec-l2l    
tunnel-group zen_ip_2 ipsec-attributes    
	pre-shared-key password_here
	peer-id-validate nocheck
	isakmp keepalive threshold 10 retry 5

#2: Port Filter, NAT and Access List configuration

The Port Filter will restrict traffic to specific ports that is permitted through the tunnels.  You can forward traffic destined for all ports. You do not need to create the following Port or corresponding NAT and Access List rules. However, if you want to restrict the traffic for port 80 and 443, then you need to create the following objects and link them with their corresponding NAT rules.

object-group service NOT-HTTP-HTTPS tcp 
	port-object range 1 finger
	port-object range 444 65535
	port-object range 81 442
object-group protocol ICMP-UDP 
	protocol-object icmp
	protocol-object udp
access-list inside_nat_outbound extended permit tcp any any object-group NOT-HTTP-HTTPS
access-list inside_nat_outbound extended permit object-group ICMP-UDP any any
access-list Zscaler_MAP extended permit ip any any  
nat (inside) 1 access-list inside_nat_outbound

#3: IPsec Configuration

The IPsec transform set defines the encryption, authentication, and IPsec mode parameters.

NOTE: Zscaler supports both AES and null encryption. Zscaler recommends using null encryption, as shown in the example below, because it reduces the load on the local router/firewall for traffic destined for the Internet. But if you would like to use AES, you may purchase a separate subscription and use the command "esp-aes".

crypto ipsec transform-set transform-zen esp-null esp-md5-hmac 

The crypto map references the IPsec transform-set and further defines the Diffie-Hellman group and SA lifetime. The mapping is created as #65000, which may conflict with an existing crypto map using the same number. If so, Zscaler recommends changing the mapping number to avoid conflicts. Note that this crypto map should ideally be defined as the last map. If your corporation has RASVPN or SSLVPN crypto maps, then the Zscaler crypto map configuration should be just before them.

crypto ipsec security-association lifetime seconds 28800
crypto map zen-vpn-map 65000 match address Zscaler_MAP
crypto map zen-vpn-map 65000 set connection-type originate-only 
crypto map zen-vpn-map 65000 set peer zen_ip_1 zen_ip_2
crypto map zen-vpn-map 65000 set phase1-mode aggressive 
crypto map zen-vpn-map 65000 set security-association lifetime seconds 28800
crypto map zen-vpn-map 65000 set ikev1 transform-set transform-zen
crypto map zen-vpn-map interface outside_interface

Troubleshooting

The following troubleshooting tips apply to all tested ASA versions: 9.2, 9.0, 8.3 and 8.2. The text in red represent the values that you should look out for while troubleshooting issues in your setup.

Use the following command for troubleshooting IKE. The response shows an organization’s gateway with IKE configured correctly. The state value should be MM_ACTIVE, which indicates that the tunnel is active.

ciscoasa# show crypto isakmp sa
	Active SA: 2
	Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1 	IKE Peer: zen_ip_1
	Type : L2L 		Role : initiator
	Rekey : no 		State : MM_ACTIVE

Use the following command to troubleshoot the IPsec VPN tunnel. The response shows an organization’s gateway with IKE configured correctly. You should ensure that some packets are encapsulated and de-capsulated. This indicates that traffic is indeed flowing through the tunnel.

ciscoasa# sh crypto ipsec stats


IPsec Global Statistics
-----------------------
Active tunnels: 2
Previous tunnels: 18
Inbound
	Bytes: 33030501
	Decompressed bytes: 33030501
	Packets: 30543
	Dropped packets: 0
	Replay failures: 0
	Authentications: 30543
	Authentication failures: 0
	Decryptions: 0
	Decryption failures: 0
	TFC Packets: 0
	Decapsulated fragments needing reassembly: 0
	Valid ICMP Errors rcvd: 0
	Invalid ICMP Errors rcvd: 0
Outbound
	Bytes: 2949805
	Uncompressed bytes: 2949805
	Packets: 21634
	Dropped packets: 0
	Authentications: 21634
	Authentication failures: 0
	Encryptions: 0
	Encryption failures: 0
	TFC Packets: 0
	Fragmentation successes: 0
		Pre-fragmentation successes: 0
		Post-fragmentation successes: 0
	Fragmentation failures: 0
		Pre-fragmentation failures: 0
		Post-fragmentation failures: 0
	Fragments created: 0
	PMTUs sent: 0
	PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0

ciscoasa# sh crypto ipsec sa
interface: outside
	Crypto map tag: zen-vpn-map, seq num: 65000, local addr: 99.158.155.211

		access-list Zscaler_MAP extended permit ip 10.84.0.0 255.255.0.0 any
		local ident (addr/mask/prot/port): (10.84.0.0/255.255.0.0/0/0)
		remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
		current_peer: 95.172.67.34

		#pkts encaps: 1104, #pkts encrypt: 0, #pkts digest: 1104
		#pkts decaps: 1557, #pkts decrypt: 0, #pkts verify: 1557
		#pkts compressed: 0, #pkts decompressed: 0
		#pkts not compressed: 1104, #pkts comp failed: 0, #pkts decomp failed: 0
		#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
		#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
		#TFC rcvd: 0, #TFC sent: 0
		#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
		#send errors: 0, #recv errors: 0
		local crypto endpt.: 99.158.155.211/0, remote crypto endpt.: 95.172.67.34/0
		path mtu 1500, ipsec overhead 47(28), media mtu 1500
		PMTU time remaining (sec): 0, DF policy: copy-df
		ICMP error validation: disabled, TFC packets: disabled
		current outbound spi: 0AF97C55
		current inbound spi : BAD644FB

inbound esp sas:
	spi: 0xBAD644FB (3134604539)
		transform: esp-null esp-md5-hmac no compression
		in use settings ={L2L, Tunnel, IKEv1, }
		slot: 0, conn_id: 61440, crypto-map: zen-vpn-map
		sa timing: remaining key lifetime (kB/sec): (4373261/28090)
		IV size: 0 bytes
		replay detection support: Y
		Anti replay bitmap:
		   0xFFFFFFF7 0xFFC3FFFC
outbound esp sas:
	spi: 0x0AF97C55 (184122453)
		transform: esp-null esp-md5-hmac no compression
		in use settings ={L2L, Tunnel, IKEv1, }
		slot: 0, conn_id: 61440, crypto-map: zen-vpn-map
		sa timing: remaining key lifetime (kB/sec): (4373773/28090)
		IV size: 0 bytes
		replay detection support: Y
		Anti replay bitmap:
		  0x00000000 0x00000001

	Crypto map tag: zen-vpn-map, seq num: 65000, local addr: 99.158.155.211

		access-list OO_temp_zen-vpn-map65000 extended permit ip host 99.158.155.211 host 95.172.67.34
		local ident (addr/mask/prot/port): (99.158.155.211/255.255.255.255/0/0)
		remote ident (addr/mask/prot/port): (95.172.67.34/255.255.255.255/0/0)
		current_peer: 95.172.67.34


		#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
		#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
		#pkts compressed: 0, #pkts decompressed: 0
		#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
		#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
		#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
		#TFC rcvd: 0, #TFC sent: 0
		#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
		#send errors: 0, #recv errors: 0

		local crypto endpt.: 99.158.155.211/0, remote crypto endpt.: 95.172.67.34/0
		path mtu 1500, ipsec overhead 47(28), media mtu 1500
		PMTU time remaining (sec): 0, DF policy: copy-df
		ICMP error validation: disabled, TFC packets: disabled
		current outbound spi: 07BA1D32
		current inbound spi : C402E1CA

inbound esp sas:
	spi: 0xC402E1CA (3288523210)
		transform: esp-null esp-md5-hmac no compression
		in use settings ={L2L, Tunnel, IKEv1, }
		slot: 0, conn_id: 61440, crypto-map: zen-vpn-map
		sa timing: remaining key lifetime (kB/sec): (4374000/28067)
		IV size: 0 bytes
		replay detection support: Y
		Anti replay bitmap:
		  0x00000000 0x00000001
outbound esp sas:
	spi: 0x07BA1D32 (129637682)
		transform: esp-null esp-md5-hmac no compression
		in use settings ={L2L, Tunnel, IKEv1, }
		slot: 0, conn_id: 61440, crypto-map: zen-vpn-map
		sa timing: remaining key lifetime (kB/sec): (4374000/28067)
		IV size: 0 bytes
		replay detection support: Y
		Anti replay bitmap:
		  0x00000000 0x00000001

 

The following command simulates a packet from the inside interface, with a specific source IP address and port and a specific destination IP address and port. The response indicates whether the packet flows through the tunnel.

ciscoasa# packet-tracer input inside tcp source_ip source_port dest_ip dest_port


Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0   0.0.0.0   outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 access-list inside_nat_outbound
	match tcp inside any inside any range 1 79
		dynamic translation to pool 1 (No matching global)
		translate_hits = 0, untranslate_hits = 0
Additional Information:

Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 41542, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
  1. Go to ips.<your cloud name>.net.

You can find the name of your cloud in the URL your admins use to log into the Zscaler service. For example, if an organization logs into admin.zscalertwo.net, then that organization's cloud name is zscalertwo.net. Therefore, in this instance, you would go to ips.zscalertwo.net. To learn more, see What is my cloud name? 

  1. From the menu on the left, click Cloud Enforcement Node Ranges. 
  2. Locate the VPN Host Name of two data centers closest to your organization's location and resolve the hostnames. Choose one as the destination for your primary IPsec VPN tunnel, and the other as the destination for your secondary IPsec VPN tunnel. 

For example, if you're located in London, you can scroll to the Europe section of the table, then choose lon3-vpn.zscalertwo.net (London) as your primary destination and amsterdam2-vpn.zscalertwo.net (Amsterdam) as your secondary destination. 
See image.

Cloud ENR