Labels

ASA - Site 2 Site Configuration

This is a template for a simple site 2 site between 2 Cisco ASA;

Side A details: internal 192.168.48.0 - external 199.99.9.99
Side B details: internal 192.168.1.0 - external 62.0.62.60


Implement in Side A:


Access-list of the encryption domain


access-list outside_10_cryptomap extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0

Access-list that disable nat between the encryption domains ( networks)

access-list inside_nat0_outbound extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0

Enable no nat access-list:


nat (inside) 0 access-list inside_nat0_outbound

IPsec setting phase 1:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Crypto transfrom set and IPsec setting phase 2:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_10_cryptomap
crypto map outside_map 20 set peer 62.0.62.60
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

Enable vpn on the external interface

crypto isakmp enable outside


Set shared key

tunnel-group 62.0.62.60 type ipsec-l2l
tunnel-group 62.0.62.60 ipsec-attributes
pre-shared-key hopeitworks


Implement in Side B:

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0


access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0


nat (inside) 0 access-list inside_nat0_outbound


crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400




crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 199.99.9.99
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside


tunnel-group 199.99.9.99 type ipsec-l2l
tunnel-group 199.99.9.99 ipsec-attributes
pre-shared-key hopeitworks




Posted by
Labels:

1 comment:

Subscribe to: Post Comments (Atom)