site-to-site VPN Cisco 5505 ASA

akgofast
akgofast used Ask the Experts™
on
What is the fastest way to set up site-to-site VPN with two Cisco 5505 ASA. I have Static addresses on both ends
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hi! There is 2 way. Its lan2lan VPN, and HUB&Spoke in NEM mode. If you need l2l VPN i can suggest next solution. 1st you need to create isakmp policy for 1ht phase for example

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
crypto isakmp policy 15
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 1440
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
crypto isakmp policy 65535
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

Then you need to create policy for 2nd phase
crypto ipsec transform-set DES-SHA-HMAC esp-des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec transform-set DES-SHA-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-SHA-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

then you can create tunnel grope config part (ins included peer, and tunnel mode and key)

tunnel-group 2nd side ip type ipsec-l2l
tunnel-group 2nd side ip ipsec-attributes
 pre-shared-key *****

more you need to create NAT0 traslation for VPN

access-list NAT0 extended permit ip yore subnet 2nd side ip
access-list NAT0 extended permit ip yore subnet 2nd side ip

nat (inside) 0 access-list NAT0

And one more access list from matching traffic than we want to encrypt

access-list VPN extended permit ip yore subnet 2nd side ip

and The last part its creating crypto map. There you seting up all this parameters

crypto map outside 10 match address VPN
crypto map outside 10 set pfs
crypto map outside 10 set peer 2nd side
crypto map outside 10 set transform-set 3DES-SHA-HMAC
crypto map outside 10 set security-association lifetime seconds 3600
crypto map outside 10 set security-association lifetime kilobytes 4608000

crypto map outside interface outside(and applying in on you interface)

That all what you need to do.
Nico EismaSenior Network Engineer

Commented:
theres a great site from Pete regarding configuring site to site VPN either via CLI or via ASDM, complete with screenshots and explanations. links are below

ASDM
http://www.petenetlive.com/KB/Article/0000072.htm

CLI
http://www.petenetlive.com/KB/Article/0000050.htm
If you have static IP both the end, then you can use VPN Wizard through Cisco ASDM to configure VPN.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial