Solved

Cisco ASA to Cisco 877 ADSL router Site to Site VPN......

Posted on 2009-04-06
5
1,781 Views
Last Modified: 2012-05-06
Hi,
We have recently update our firewall to a Cisco ASA 55xx series, previously we had  a Watchguard. I am trying to migrate some site to site VPNs to the new firewall and update the remote sites routers.  Hence I need to setup a site to site vpn using Cisco ASA 5510 (ISP leased line with staitic IP) at our HQ site to a Cisco 877 Router (with ADSL and static IP) at the remote sites.

Can somone provide a suitable example config or point me in the right direction, both ends are static / fixed public IP.  These are site to site vpns in effect replicating fully routed WAN sites supporting IP dependant printing for remote devices.  There is no need for DHCP relay / or remote site provision - remote devices will have fixed IPs.

Any info gratefully received!

Many Thanks!

0
Comment
Question by:spinnaker01
  • 3
  • 2
5 Comments
 
LVL 6

Expert Comment

by:cosmicfox
Comment Utility
If you use the ASDM which is the Java GUI for the ASA there is a site to site vpn wizzard that will walk you thought the vpn setup on the ASA. I think it will even make the config for the router at the end. Hope this helps if not let me know what else i can do for you.
0
 

Author Comment

by:spinnaker01
Comment Utility
Hi Cosmicfox,

H'mm I would rather use the command line as some of the VPN's were migrated as part of the firewall upgrade, therefore the firewall end of these VPN's already exists, hence I am not keen on using the wizard for these - hope that makes sense.

Thanks

Spinnaker01
0
 
LVL 6

Accepted Solution

by:
cosmicfox earned 500 total points
Comment Utility
That makes sense, i also prefer the CLI. attached are a couple of guides.  Also here is a quick cli of what you will need for a static ipsec rule

access-list CRYPTO_DYNAMIC_CISCOVPN extended permit ip any x.x.x.x 255.255.255.0



access-list CRYPTO_MATCH extended permit ip x.x.x.x 255.255.0.0 x.x.x.x 255.255.255.0



crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 match address CRYPTO_DYNAMIC_CISCOVPN
crypto dynamic-map CRYPTO_OUTSIDE_DYN_MAP 1 set transform-set ESP-AES-128-MD5 ESP-AES-128-SHA ESP-3DES-MD5


crypto map CRYPTO_OUTSIDE_MAP 10 match address CRYPTO_MATCH
crypto map CRYPTO_OUTSIDE_MAP 10 set peer x.x.x.x
crypto map CRYPTO_OUTSIDE_MAP 10 set transform-set ESP-3DES-MD5
crypto map CRYPTO_OUTSIDE_MAP 65535 ipsec-isakmp dynamic CRYPTO_OUTSIDE_DYN_MAP

crypto map CRYPTO_OUTSIDE_MAP interface OUTSIDE



tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy test
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key password

ipsec-router-to-pix.pdf
ipsec-rtr-2-pix-asa.pdf
0
 

Author Comment

by:spinnaker01
Comment Utility
Hi Cosmicfox,

Humble appologies for not getting back to you, I have been out on site and just overtaken by events. I will go through your suggestions and pdfs and get back to you.  Thanks for this info looks good, I'll post a further comment, but probably not unitl next week now.

Thanks and regards............

Spinnaker01.
0
 

Author Closing Comment

by:spinnaker01
Comment Utility
Hi Cosmicfox,

Thanks for the info, will re-log if required, in the process of testing at present.
Thanks again sorry for the delayed responses.

Spinnaker01
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now