Solved

Cisco ASA to Cisco 877 ADSL router Site to Site VPN......

Posted on 2009-04-06
5
1,787 Views
Last Modified: 2012-05-06
Hi,
We have recently update our firewall to a Cisco ASA 55xx series, previously we had  a Watchguard. I am trying to migrate some site to site VPNs to the new firewall and update the remote sites routers.  Hence I need to setup a site to site vpn using Cisco ASA 5510 (ISP leased line with staitic IP) at our HQ site to a Cisco 877 Router (with ADSL and static IP) at the remote sites.

Can somone provide a suitable example config or point me in the right direction, both ends are static / fixed public IP.  These are site to site vpns in effect replicating fully routed WAN sites supporting IP dependant printing for remote devices.  There is no need for DHCP relay / or remote site provision - remote devices will have fixed IPs.

Any info gratefully received!

Many Thanks!

0
Comment
Question by:spinnaker01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:cosmicfox
ID: 24083142
If you use the ASDM which is the Java GUI for the ASA there is a site to site vpn wizzard that will walk you thought the vpn setup on the ASA. I think it will even make the config for the router at the end. Hope this helps if not let me know what else i can do for you.
0
 

Author Comment

by:spinnaker01
ID: 24095820
Hi Cosmicfox,

H'mm I would rather use the command line as some of the VPN's were migrated as part of the firewall upgrade, therefore the firewall end of these VPN's already exists, hence I am not keen on using the wizard for these - hope that makes sense.

Thanks

Spinnaker01
0
 
LVL 6

Accepted Solution

by:
cosmicfox earned 500 total points
ID: 24099330
That makes sense, i also prefer the CLI. attached are a couple of guides.  Also here is a quick cli of what you will need for a static ipsec rule

access-list CRYPTO_DYNAMIC_CISCOVPN extended permit ip any x.x.x.x 255.255.255.0



access-list CRYPTO_MATCH extended permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0



crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 match address CRYPTO_DYNAMIC_CISCOVPN
crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 set transform-set ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-MD5


crypto map CRYPTO_OUTSIDE_MAP 10 match address CRYPTO_MATCH
crypto map CRYPTO_OUTSIDE_MAP 10 set peer x.x.x.x
crypto map CRYPTO_OUTSIDE_MAP 10 set transform-set ESP-3DES-MD5
crypto map CRYPTO_OUTSIDE_MAP 65535 ipsec-isakmp dynamic CRYPTO_OUTSIDE_DYN_MAP

crypto map CRYPTO_OUTSIDE_MAP interface OUTSIDE



tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy test
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key password

ipsec-router-to-pix.pdf
ipsec-rtr-2-pix-asa.pdf
0
 

Author Comment

by:spinnaker01
ID: 24210447
Hi Cosmicfox,

Humble appologies for not getting back to you, I have been out on site and just overtaken by events. I will go through your suggestions and pdfs and get back to you.  Thanks for this info looks good, I'll post a further comment, but probably not unitl next week now.

Thanks and regards............

Spinnaker01.
0
 

Author Closing Comment

by:spinnaker01
ID: 31567208
Hi Cosmicfox,

Thanks for the info, will re-log if required, in the process of testing at present.
Thanks again sorry for the delayed responses.

Spinnaker01
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question