• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1797
  • Last Modified:

Cisco ASA to Cisco 877 ADSL router Site to Site VPN......

Hi,
We have recently update our firewall to a Cisco ASA 55xx series, previously we had  a Watchguard. I am trying to migrate some site to site VPNs to the new firewall and update the remote sites routers.  Hence I need to setup a site to site vpn using Cisco ASA 5510 (ISP leased line with staitic IP) at our HQ site to a Cisco 877 Router (with ADSL and static IP) at the remote sites.

Can somone provide a suitable example config or point me in the right direction, both ends are static / fixed public IP.  These are site to site vpns in effect replicating fully routed WAN sites supporting IP dependant printing for remote devices.  There is no need for DHCP relay / or remote site provision - remote devices will have fixed IPs.

Any info gratefully received!

Many Thanks!

0
spinnaker01
Asked:
spinnaker01
  • 3
  • 2
1 Solution
 
cosmicfoxCommented:
If you use the ASDM which is the Java GUI for the ASA there is a site to site vpn wizzard that will walk you thought the vpn setup on the ASA. I think it will even make the config for the router at the end. Hope this helps if not let me know what else i can do for you.
0
 
spinnaker01Author Commented:
Hi Cosmicfox,

H'mm I would rather use the command line as some of the VPN's were migrated as part of the firewall upgrade, therefore the firewall end of these VPN's already exists, hence I am not keen on using the wizard for these - hope that makes sense.

Thanks

Spinnaker01
0
 
cosmicfoxCommented:
That makes sense, i also prefer the CLI. attached are a couple of guides.  Also here is a quick cli of what you will need for a static ipsec rule

access-list CRYPTO_DYNAMIC_CISCOVPN extended permit ip any x.x.x.x 255.255.255.0



access-list CRYPTO_MATCH extended permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0



crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 match address CRYPTO_DYNAMIC_CISCOVPN
crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 set transform-set ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-MD5


crypto map CRYPTO_OUTSIDE_MAP 10 match address CRYPTO_MATCH
crypto map CRYPTO_OUTSIDE_MAP 10 set peer x.x.x.x
crypto map CRYPTO_OUTSIDE_MAP 10 set transform-set ESP-3DES-MD5
crypto map CRYPTO_OUTSIDE_MAP 65535 ipsec-isakmp dynamic CRYPTO_OUTSIDE_DYN_MAP

crypto map CRYPTO_OUTSIDE_MAP interface OUTSIDE



tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy test
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key password

ipsec-router-to-pix.pdf
ipsec-rtr-2-pix-asa.pdf
0
 
spinnaker01Author Commented:
Hi Cosmicfox,

Humble appologies for not getting back to you, I have been out on site and just overtaken by events. I will go through your suggestions and pdfs and get back to you.  Thanks for this info looks good, I'll post a further comment, but probably not unitl next week now.

Thanks and regards............

Spinnaker01.
0
 
spinnaker01Author Commented:
Hi Cosmicfox,

Thanks for the info, will re-log if required, in the process of testing at present.
Thanks again sorry for the delayed responses.

Spinnaker01
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now