Site to Site VPN
(2013-11-12)
Note about the ACL: what hung me up in this case was that this ASA only had the two implicit ACLs on the inside interface -- if you look at the ASDM you'll see a <any> - <any-lower-security-index-interface> <permit> rule. This implicit rule is not sufficient for VPN traffic. So I had to add the inside_access_in ACL because if you add any ACL then this implicit one goes away. This may not be what you want. If your ACLs are more restrictive, then you will need to add an ACL to the rule set attached to the inside interface which permits traffic from the inside to the VPN.(The second part of this is merely attaching inside_access_in to the inside interface, which I had to do because this is a new ACL.)
Problem
Site to site VPN with an ASA running 8.2.Solution
The local network is 192.168.50.0/24; the network on the far side of the VPN is 172.17.64.0/24.! This ACL controls access to the NAT-exemption rule access-list VPN extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0 ! This ACL controls access to the VPN -- it is your phase-2 proxy-ID access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0 ! See the note below about this ACL access-list inside_access_in extended permit ip any any log disable ! Debug logging, you probably don't need logging class vpn asdm debugging ! Don't NAT traffic from inside to the VPN nat (inside) 0 access-list VPN ! See the note below about this command access-group inside_access_in in interface inside ! This defines ESP-3DES-MD5 as a phase-2 transform crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac ! This defines the phasse-2 part of the VPN crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs ! (Change RemotePeerIP to your remote peer object name or IP) crypto map outside_map 1 set peer RemotePeerIP crypto map outside_map 1 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside ! Turn on isakmp crypto isakmp enable outside ! This defines the vpn phase-1 transform crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 ! This is the remote gateway ! (I believe RemotePeerIP must be a literal IP in this instance) tunnel-group RemotePeerIP type ipsec-l2l ! This defines the pre-shared key for the remote gateway ! (I believe RemotePeerIP must be a literal IP in this instance) tunnel-group RemotePeerIP ipsec-attributes pre-shared-key MySecretKey
no comments |
post comment
Virtual Dave Megaplex:
Home Page- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.