Solved

Cisco ASA 5520 Site to Site configuration

Posted on 2006-11-20
4
2,303 Views
Last Modified: 2013-11-16
Hello. I am in the process of configuring our new Cisco ASA 5520 device and I have completed configuring the VPN with Radius configuration. But now I need to complete the site to site VPN configuration. With already having the radius configuration relating to the cryptomap that is already in place I am a bit confused. Can someone help out on the configuration lines that I will need to add in order to have both radius authentication as well as my site to site VPN?  
Thanks much!

ASA Version 7.0(5)
!
hostname ASA
domain-name ASA
names
no dns-guard
!
interface GigabitEthernet0/0
 description outside interface - WAN
 shutdown
 nameif outside
 security-level 0
 ip address 66.xx.xx.xx 255.0.0.0
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.0.19 255.255.224.0
!
interface GigabitEthernet0/2
 description DMZ1
 nameif DMZ1
ip address 10.120.10.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone cst -6
clock summer-time CDT recurring
dns domain-lookup INSIDE
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq smtp
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq dnsix
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq domain
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq pop3
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq imap4
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 135
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 3389
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit udp any host 66.xxx.xxx.xx eq 1755
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq https
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq ssh
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
access-list inbound extended permit tcp any host 66.xxx.xxx.xx eq www
.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq www 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.9 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.10 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.11 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.12 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.13 eq 3389 172.16.0.0 255.25
5.224.0
access-list dmz1 extended permit tcp host 10.120.10.5 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.6 eq 3389 172.16.0.0 255.255
.224.0
access-list dmz1 extended permit tcp host 10.120.10.7 eq telnet 172.16.0.0 255.2
55.224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ftp 172.16.0.0 255.255.
224.0
access-list dmz1 extended permit tcp host 10.120.10.8 eq ssh 172.16.0.0 255.255.
224.0
24.0
access-list dmz1 extended permit ip any any
pager lines 24
mtu outside 1500
mtu INSIDE 1500
mtu DMZ1 1500
ip local pool vpnremote 192.168.30.1-192.168.30.100
no failover
icmp permit any outside
icmp permit any INSIDE
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (INSIDE) 0 access-list nonat
nat (INSIDE) 1 0.0.0.0 0.0.0.0
static (INSIDE,outside) 66.xxx.xxx.xx netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.6 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.56 netmask 255.255.255.255
static (INSIDE,outside66.xxx.xxx.xx 172.16.0.57 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.31 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.15 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.44 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.20 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.11 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.46 netmask 255.255.255.255
static (INSIDE,outside 66.xxx.xxx.xx 172.16.0.61 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 9 172.16.0.62 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.63 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.47 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.75 netmask 255.255.255.255
static (INSIDE,outside) 66.xxx.xxx.xx 172.16.0.58 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.5 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.6 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.7 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.8 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.9 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.10 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.11 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.12 netmask 255.255.255.255
static (DMZ1,outside) 66.xxx.xxx.xx 10.120.10.13 netmask 255.255.255.255
static (INSIDE,DMZ1) 172.16.0.0 172.16.0.0 netmask 255.255.224.0
access-group inbound in interface outside
access-group dmz1 in interface DMZ1
route outside 0.0.0.0 0.0.0.0 66.xxx.xxx.xx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server vpn protocol radius
aaa-server vpn host 172.16.0.2
 key ksfklwe
group-policy VPNClients internal
group-policy VPNClients attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value 101
 default-domain value ficgroup.com
 split-dns value 172.16.0.2
 webvpn
group-policy vpn5520 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set FirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
isakmp identity address
isakmp enable outside
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp nat-traversal  20
isakmp disconnect-notify
tunnel-group Remote type ipsec-ra
tunnel-group Remote general-attributes
 address-pool vpnremote
 authentication-server-group vpn
 default-group-policy VPNClients
tunnel-group Remote ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp


0
Comment
Question by:Llarissa21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 17982816
I suggest just using the VPN Wizard in the ADSM interface. It will walk you through it step by step.
0
 

Author Comment

by:Llarissa21
ID: 17982883
Thank you lrmoore, but I would rather do it through the console command line. I DO not like the interface. I have a config from a site to site tunnel I set up a loooong time ago with a pix 515 so I will just need to find it. I am pretty sure it is just a matter of a few additional lines such as adding the isakmp peer, preshared key, etc. I know it will be a little different because the IOS version that I set it up on previously is different (pix515).

Thanks.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17982924
ASA with 7.x and PIX with 6.x are VERY different in the way you set up site-site vpns. I HIGHLY recommend just using the wizard to set up the site-site.
I've had years of experience with command line PIX and ASA and even I have a difficult time getting everything just right with command line only. I've learned to save my time, use the wizard, then tweak it later.
I actually like the ASDM GUI, especially with 7.21/ADSM 5.2
0
 

Author Comment

by:Llarissa21
ID: 17982929
Ok, I will try it. Thank you.
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question