For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 8.4 > Site to Site VPN

Site to Site VPN

Created by dave. Last edited by dave, 10 years and 346 days ago. Viewed 2,611 times. #3
[diff] [history] [edit] [rdf]

Sorry, no detailed notes (too busy right now) but this seems to work. If you read my notes for other versions of ASA you should be able to figure out what is going on.

crypto isakmp enable outside
object network net-local
object network net-remote
access-list myvpn-cryptomap permit ip object net-local object net-remote
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
  pre-shared-key MySuperSecretKeyBob
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec tramsform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address myvpn-cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

One thing I did learn is that if you already have a crypto map defined and associated with the interface you want to use, you should add the new rules with a different number to the existing map, rather than trying to use two maps at the same time. That's outside_map here, so if you have a SYSTEM_DEFAULT_CRYPTO_MAP defined, you should add the rules to that existing map rather than defining the new one.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt