Cisco ASA 5520 Site to Site configuration

Hello. I am in the process of configuring our new Cisco ASA 5520 device and I have completed configuring the VPN with Radius configuration. But now I need to complete the site to site VPN configuration. With already having the radius configuration relating to the cryptomap that is already in place I am a bit confused. Can someone help out on the configuration lines that I will need to add in order to have both radius authentication as well as my site to site VPN?  
Thanks much!

ASA Version 7.0(5)
!
hostname ASA
domain-name ASA
names
no dns-guard
!
interface GigabitEthernet0/0
 description outside interface - WAN
 shutdown
 nameif outside
 security-level 0
 ip address 66.xx.xx.xx 255.0.0.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.0.19 255.255.224.0
!
interface GigabitEthernet0/2
 description DMZ1
 nameif DMZ1
ip address 10.120.10.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns domain-lookup INSIDE
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq smtp
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq dnsix
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq domain
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq pop3
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq imap4
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 135
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq ssh
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq www 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.9 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.10 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.11 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.12 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.5 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.6 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.7 eq telnet 172.16.0.0 255.2
55.224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ftp 172.16.0.0 255.255.
224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ssh 172.16.0.0 255.255.
224.0
24.0
access-list dmz1 extended permit ip any any
pager lines 24
mtu outside 1500
mtu INSIDE 1500
mtu DMZ1 1500
ip local pool vpnremote 192.168.30.1-192.168.30.100
no failover
icmp permit any outside
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,outside) 66.xxx.xxx.xx netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.6 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.56 netmask 255.255.255.255
static (INSIDE,outside66.xxx.xxx.xx 172.16.0.57 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.31 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.15 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.44 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.20 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.11 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.46 netmask 255.255.255.255
static (INSIDE,outside 66.xxx.xxx.xx 172.16.0.61 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 9 172.16.0.62 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.63 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.47 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.75 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.58 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.5 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.6 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.7 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.8 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.9 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.10 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.11 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.12 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.13 netmask 255.255.255.255
static (INSIDE,DMZ1) 172.16.0.0 172.16.0.0 netmask 255.255.224.0
access-group inbound in interface outside
access-group dmz1 in interface DMZ1
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 172.16.0.2
 key ksfklwe
group-policy VPNClients internal
group-policy VPNClients attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
 default-domain value ficgroup.com
 split-dns value 172.16.0.2
 webvpn
group-policy vpn5520 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal  20
isakmp disconnect-notify
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
 address-pool vpnremote
 authentication-server-group vpn
 default-group-policy VPNClients
tunnel-group Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp


Llarissa21Asked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
ASA with 7.x and PIX with 6.x are VERY different in the way you set up site-site vpns. I HIGHLY recommend just using the wizard to set up the site-site.
I've had years of experience with command line PIX and ASA and even I have a difficult time getting everything just right with command line only. I've learned to save my time, use the wizard, then tweak it later.
I actually like the ASDM GUI, especially with 7.21/ADSM 5.2
0
 
lrmooreCommented:
I suggest just using the VPN Wizard in the ADSM interface. It will walk you through it step by step.
0
 
Llarissa21Author Commented:
Thank you lrmoore, but I would rather do it through the console command line. I DO not like the interface. I have a config from a site to site tunnel I set up a loooong time ago with a pix 515 so I will just need to find it. I am pretty sure it is just a matter of a few additional lines such as adding the isakmp peer, preshared key, etc. I know it will be a little different because the IOS version that I set it up on previously is different (pix515).

Thanks.

0
 
Llarissa21Author Commented:
Ok, I will try it. Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.