Solved

Site to Site VPN Cisco ASA 8.3 dynamic to static

Posted on 2010-11-28
9
3,924 Views
Last Modified: 2012-05-10
Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)

ASA Version 8.3(2) 

!

hostname MGMTCOasa

domain-name mgmtco.local

enable password <removed>

passwd <removed>

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 38.a.a.a 255.255.255.224 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 172.17.1.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 172.17.1.11

 domain-name mgmtco.local

object network internal_lan 

 subnet 172.17.1.0 255.255.255.0

object network obj-local 

 subnet 172.17.1.0 255.255.255.0

object network obj-remote 

 subnet 172.16.1.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply 

access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!

object network internal_lan

 nat (inside,outside) dynamic interface



access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 38.c.c.c 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 65535 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

 

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *****





REMOTE SITE (5505):

ASA Version 8.3(2) 

!

terminal width 132

hostname Mag-ASA

domain-name mag.local



names

dns-guard

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/0

 switchport access vlan 2

!

 

interface Ethernet0/1

 speed 100

 duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 172.16.1.11

 domain-name mag.local

object network internal_lan 

 subnet 172.16.1.0 255.255.255.0

object network obj-local 

 subnet 172.16.1.0 255.255.255.0

object network obj-remote 

 subnet 172.17.1.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply 

access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

object network internal_lan

 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map ASA2VPN 10 match address LAN2-to-LAN1

crypto map ASA2VPN 10 set peer 38.a.a.a 

crypto map ASA2VPN 10 set transform-set myset

crypto map ASA2VPN 10 set security-association lifetime seconds 86400

crypto map ASA2VPN interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400



dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 38.a.a.a type ipsec-l2l

tunnel-group 38.a.a.a ipsec-attributes

 pre-shared-key *****

!

Open in new window

0
Comment
Question by:Undisputed
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 334 total points
ID: 34225493
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 166 total points
ID: 34225867
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34226080
Nice one, Pete!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 34226256
:) Cheers m8y
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Author Comment

by:Undisputed
ID: 34226483
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 334 total points
ID: 34226531
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226619
Will give it a try. Thank u
0
 
LVL 33

Expert Comment

by:digitap
ID: 34424560
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now