Site to Site VPN

(2013-11-12)

Problem

Site to site VPN with an ASA running 8.2.

Solution

The local network is 192.168.50.0/24; the network on the far side of the VPN is 172.17.64.0/24.

! This ACL controls access to the NAT-exemption rule
access-list VPN extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0
! This ACL controls access to the VPN -- it is your phase-2 proxy-ID
access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0
! See the note below about this ACL
access-list inside_access_in extended permit ip any any log disable
! Debug logging, you probably don't need
logging class vpn asdm debugging
! Don't NAT traffic from inside to the VPN
nat (inside) 0 access-list VPN
! See the note below about this command
access-group inside_access_in in interface inside
! This defines ESP-3DES-MD5 as a phase-2 transform
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
! This defines the phasse-2 part of the VPN
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
! (Change RemotePeerIP to your remote peer object name or IP)
crypto map outside_map 1 set peer RemotePeerIP
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
! Turn on isakmp
crypto isakmp enable outside
! This defines the vpn phase-1 transform
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
! This is the remote gateway
! (I believe RemotePeerIP must be a literal IP in this instance)
tunnel-group RemotePeerIP type ipsec-l2l
! This defines the pre-shared key for the remote gateway
! (I believe RemotePeerIP must be a literal IP in this instance)
tunnel-group RemotePeerIP ipsec-attributes
 pre-shared-key MySecretKey

Note about the ACL: what hung me up in this case was that this ASA only had the two implicit ACLs on the inside interface -- if you look at the ASDM you'll see a - rule. This implicit rule is not sufficient for VPN traffic. So I had to add the inside_access_in ACL because if you add any ACL then this implicit one goes away. This may not be what you want. If your ACLs are more restrictive, then you will need to add an ACL to the rule set attached to the inside interface which permits traffic from the inside to the VPN.

(The second part of this is merely attaching inside_access_in to the inside interface, which I had to do because this is a new ACL.)

Console Commands

Debug Site to Site VPN

Faking a secondary IP

Mailguard

Password Reset

Port Forward

Changing A Remote Gateway IP

Site to Site VPN

Site to Site VPN with NAT

ssh_exchange_identification

Site to Site VPN

Site to Site VPN

Can't Run ASDM On New ASA

ASDM on Windows 10

DHCP Reservations

Port Forward

Same-interface Hairpin

Show Dropped Packets

Self-Signed Certificates

Disable TCP Timestamps

Force TLSv1.2 or higher

Missing HTTPOnly Cookie Attribute

Ping ASA interface

PPPoE Session Status

Security Commands

SNMP v3 on ASA

SSH pubkey authentication

Test Authentication Server

TLS DH Group Key Length

Use User's Password As Enable Password

Packet Tracer

SNMP v3 Read-Only setup

Port Span

Show Logs From Console

Site to Site VPN

Problem

Solution