Solved

Cisco ASA 5520 Site to Site configuration

Posted on 2006-11-20
4
2,297 Views
Last Modified: 2013-11-16
Hello. I am in the process of configuring our new Cisco ASA 5520 device and I have completed configuring the VPN with Radius configuration. But now I need to complete the site to site VPN configuration. With already having the radius configuration relating to the cryptomap that is already in place I am a bit confused. Can someone help out on the configuration lines that I will need to add in order to have both radius authentication as well as my site to site VPN?  
Thanks much!

ASA Version 7.0(5)
!
hostname ASA
domain-name ASA
names
no dns-guard
!
interface GigabitEthernet0/0
 description outside interface - WAN
 shutdown
 nameif outside
 security-level 0
 ip address 66.xx.xx.xx 255.0.0.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.0.19 255.255.224.0
!
interface GigabitEthernet0/2
 description DMZ1
 nameif DMZ1
ip address 10.120.10.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns domain-lookup INSIDE
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq smtp
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq dnsix
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq domain
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq pop3
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq imap4
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 135
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq ssh
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq www 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.9 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.10 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.11 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.12 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.5 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.6 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.7 eq telnet 172.16.0.0 255.2
55.224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ftp 172.16.0.0 255.255.
224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ssh 172.16.0.0 255.255.
224.0
24.0
access-list dmz1 extended permit ip any any
pager lines 24
mtu outside 1500
mtu INSIDE 1500
mtu DMZ1 1500
ip local pool vpnremote 192.168.30.1-192.168.30.100
no failover
icmp permit any outside
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,outside) 66.xxx.xxx.xx netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.6 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.56 netmask 255.255.255.255
static (INSIDE,outside66.xxx.xxx.xx 172.16.0.57 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.31 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.15 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.44 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.20 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.11 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.46 netmask 255.255.255.255
static (INSIDE,outside 66.xxx.xxx.xx 172.16.0.61 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 9 172.16.0.62 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.63 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.47 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.75 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.58 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.5 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.6 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.7 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.8 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.9 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.10 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.11 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.12 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.13 netmask 255.255.255.255
static (INSIDE,DMZ1) 172.16.0.0 172.16.0.0 netmask 255.255.224.0
access-group inbound in interface outside
access-group dmz1 in interface DMZ1
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 172.16.0.2
 key ksfklwe
group-policy VPNClients internal
group-policy VPNClients attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
 default-domain value ficgroup.com
 split-dns value 172.16.0.2
 webvpn
group-policy vpn5520 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal  20
isakmp disconnect-notify
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
 address-pool vpnremote
 authentication-server-group vpn
 default-group-policy VPNClients
tunnel-group Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp


0
Comment
Question by:Llarissa21
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17982816
I suggest just using the VPN Wizard in the ADSM interface. It will walk you through it step by step.
0
 

Author Comment

by:Llarissa21
ID: 17982883
Thank you lrmoore, but I would rather do it through the console command line. I DO not like the interface. I have a config from a site to site tunnel I set up a loooong time ago with a pix 515 so I will just need to find it. I am pretty sure it is just a matter of a few additional lines such as adding the isakmp peer, preshared key, etc. I know it will be a little different because the IOS version that I set it up on previously is different (pix515).

Thanks.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17982924
ASA with 7.x and PIX with 6.x are VERY different in the way you set up site-site vpns. I HIGHLY recommend just using the wizard to set up the site-site.
I've had years of experience with command line PIX and ASA and even I have a difficult time getting everything just right with command line only. I've learned to save my time, use the wizard, then tweak it later.
I actually like the ASDM GUI, especially with 7.21/ADSM 5.2
0
 

Author Comment

by:Llarissa21
ID: 17982929
Ok, I will try it. Thank you.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now