For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 8.2 > Site to Site VPN

Site to Site VPN

Created by dave. Last edited by dave, 5 years and 31 days ago. Viewed 1,610 times. #2
[diff] [history] [edit] [rdf]
labels
attachments
(2013-11-12)

Problem

Site to site VPN with an ASA running 8.2.

Solution

The local network is 192.168.50.0/24; the network on the far side of the VPN is 172.17.64.0/24.

! This ACL controls access to the NAT-exemption rule
access-list VPN extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0
! This ACL controls access to the VPN -- it is your phase-2 proxy-ID
access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 172.17.64.0 255.255.255.0
! See the note below about this ACL
access-list inside_access_in extended permit ip any any log disable
! Debug logging, you probably don't need
logging class vpn asdm debugging
! Don't NAT traffic from inside to the VPN
nat (inside) 0 access-list VPN
! See the note below about this command
access-group inside_access_in in interface inside
! This defines ESP-3DES-MD5 as a phase-2 transform
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
! This defines the phasse-2 part of the VPN
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
! (Change RemotePeerIP to your remote peer object name or IP)
crypto map outside_map 1 set peer RemotePeerIP
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
! Turn on isakmp
crypto isakmp enable outside
! This defines the vpn phase-1 transform
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
! This is the remote gateway 
! (I believe RemotePeerIP must be a literal IP in this instance)
tunnel-group RemotePeerIP type ipsec-l2l
! This defines the pre-shared key for the remote gateway
! (I believe RemotePeerIP must be a literal IP in this instance)
tunnel-group RemotePeerIP ipsec-attributes
 pre-shared-key MySecretKey

Note about the ACL: what hung me up in this case was that this ASA only had the two implicit ACLs on the inside interface -- if you look at the ASDM you'll see a <any> - <any-lower-security-index-interface> <permit> rule. This implicit rule is not sufficient for VPN traffic. So I had to add the inside_access_in ACL because if you add any ACL then this implicit one goes away. This may not be what you want. If your ACLs are more restrictive, then you will need to add an ACL to the rule set attached to the inside interface which permits traffic from the inside to the VPN.

(The second part of this is merely attaching inside_access_in to the inside interface, which I had to do because this is a new ACL.)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt