This is a template for a simple site 2 site between 2 Cisco ASA;
Side A details: internal 192.168.48.0 - external 199.99.9.99
Side B details: internal 192.168.1.0 - external 62.0.62.60
Implement in Side A:
Access-list of the encryption domain
access-list outside_10_cryptomap extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Access-list that disable nat between the encryption domains ( networks)
access-list inside_nat0_outbound extended permit ip 192.168.48.0 255.255.255.0 192.168.1.0 255.255.255.0
Enable no nat access-list:
nat (inside) 0 access-list inside_nat0_outbound
IPsec setting phase 1:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Crypto transfrom set and IPsec setting phase 2:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_10_cryptomap
crypto map outside_map 20 set peer 62.0.62.60
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Enable vpn on the external interface
crypto isakmp enable outside
Set shared key
tunnel-group 62.0.62.60 type ipsec-l2l
tunnel-group 62.0.62.60 ipsec-attributes
pre-shared-key hopeitworks
Implement in Side B:
access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.48.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer 199.99.9.99
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
tunnel-group 199.99.9.99 type ipsec-l2l
tunnel-group 199.99.9.99 ipsec-attributes
pre-shared-key hopeitworks
No comments:
Post a Comment