Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA to Cisco 877 ADSL router Site to Site VPN......

Posted on 2009-04-06
5
Medium Priority
?
1,794 Views
Last Modified: 2012-05-06
Hi,
We have recently update our firewall to a Cisco ASA 55xx series, previously we had  a Watchguard. I am trying to migrate some site to site VPNs to the new firewall and update the remote sites routers.  Hence I need to setup a site to site vpn using Cisco ASA 5510 (ISP leased line with staitic IP) at our HQ site to a Cisco 877 Router (with ADSL and static IP) at the remote sites.

Can somone provide a suitable example config or point me in the right direction, both ends are static / fixed public IP.  These are site to site vpns in effect replicating fully routed WAN sites supporting IP dependant printing for remote devices.  There is no need for DHCP relay / or remote site provision - remote devices will have fixed IPs.

Any info gratefully received!

Many Thanks!

0
Comment
Question by:spinnaker01
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:cosmicfox
ID: 24083142
If you use the ASDM which is the Java GUI for the ASA there is a site to site vpn wizzard that will walk you thought the vpn setup on the ASA. I think it will even make the config for the router at the end. Hope this helps if not let me know what else i can do for you.
0
 

Author Comment

by:spinnaker01
ID: 24095820
Hi Cosmicfox,

H'mm I would rather use the command line as some of the VPN's were migrated as part of the firewall upgrade, therefore the firewall end of these VPN's already exists, hence I am not keen on using the wizard for these - hope that makes sense.

Thanks

Spinnaker01
0
 
LVL 6

Accepted Solution

by:
cosmicfox earned 1500 total points
ID: 24099330
That makes sense, i also prefer the CLI. attached are a couple of guides.  Also here is a quick cli of what you will need for a static ipsec rule

access-list CRYPTO_DYNAMIC_CISCOVPN extended permit ip any x.x.x.x 255.255.255.0



access-list CRYPTO_MATCH extended permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0



crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 match address CRYPTO_DYNAMIC_CISCOVPN
crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 set transform-set ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-MD5


crypto map CRYPTO_OUTSIDE_MAP 10 match address CRYPTO_MATCH
crypto map CRYPTO_OUTSIDE_MAP 10 set peer x.x.x.x
crypto map CRYPTO_OUTSIDE_MAP 10 set transform-set ESP-3DES-MD5
crypto map CRYPTO_OUTSIDE_MAP 65535 ipsec-isakmp dynamic CRYPTO_OUTSIDE_DYN_MAP

crypto map CRYPTO_OUTSIDE_MAP interface OUTSIDE



tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy test
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key password

ipsec-router-to-pix.pdf
ipsec-rtr-2-pix-asa.pdf
0
 

Author Comment

by:spinnaker01
ID: 24210447
Hi Cosmicfox,

Humble appologies for not getting back to you, I have been out on site and just overtaken by events. I will go through your suggestions and pdfs and get back to you.  Thanks for this info looks good, I'll post a further comment, but probably not unitl next week now.

Thanks and regards............

Spinnaker01.
0
 

Author Closing Comment

by:spinnaker01
ID: 31567208
Hi Cosmicfox,

Thanks for the info, will re-log if required, in the process of testing at present.
Thanks again sorry for the delayed responses.

Spinnaker01
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question