Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Site to Site VPN Cisco ASA 8.3 dynamic to static

Posted on 2010-11-28
9
3,934 Views
Last Modified: 2012-05-10
Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)
ASA Version 8.3(2) 
!
hostname MGMTCOasa
domain-name mgmtco.local
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 38.a.a.a 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.17.1.11
 domain-name mgmtco.local
object network internal_lan 
 subnet 172.17.1.0 255.255.255.0
object network obj-local 
 subnet 172.17.1.0 255.255.255.0
object network obj-remote 
 subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
!
object network internal_lan
 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 38.c.c.c 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
 
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****


REMOTE SITE (5505):
ASA Version 8.3(2) 
!
terminal width 132
hostname Mag-ASA
domain-name mag.local

names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
 
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.16.1.11
 domain-name mag.local
object network internal_lan 
 subnet 172.16.1.0 255.255.255.0
object network obj-local 
 subnet 172.16.1.0 255.255.255.0
object network obj-remote 
 subnet 172.17.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
object network internal_lan
 nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 38.a.a.a 
crypto map ASA2VPN 10 set transform-set myset
crypto map ASA2VPN 10 set security-association lifetime seconds 86400
crypto map ASA2VPN interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 38.a.a.a type ipsec-l2l
tunnel-group 38.a.a.a ipsec-attributes
 pre-shared-key *****
!

Open in new window

0
Comment
Question by:Undisputed
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 334 total points
ID: 34225493
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 166 total points
ID: 34225867
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34226080
Nice one, Pete!
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Pete Long
ID: 34226256
:) Cheers m8y
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226483
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 334 total points
ID: 34226531
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226619
Will give it a try. Thank u
0
 
LVL 33

Expert Comment

by:digitap
ID: 34424560
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
IPSec/L2TP 25 36
Use of vpn-filter value  in S2S VPN 2 49
I want to know the number of Cisco 1921-sec / k9 ipsec vpn concurrent users? 4 28
ASA 5505 packet drops 14 43
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question