Solved

Site to Site VPN Cisco ASA 8.3 dynamic to static

Posted on 2010-11-28
9
3,928 Views
Last Modified: 2012-05-10
Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)

ASA Version 8.3(2) 

!

hostname MGMTCOasa

domain-name mgmtco.local

enable password <removed>

passwd <removed>

names

dns-guard

!

interface Ethernet0/0

 nameif outside

 security-level 0

 ip address 38.a.a.a 255.255.255.224 

!

interface Ethernet0/1

 nameif inside

 security-level 100

 ip address 172.17.1.1 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 172.17.1.11

 domain-name mgmtco.local

object network internal_lan 

 subnet 172.17.1.0 255.255.255.0

object network obj-local 

 subnet 172.17.1.0 255.255.255.0

object network obj-remote 

 subnet 172.16.1.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply 

access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 

access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

!

object network internal_lan

 nat (inside,outside) dynamic interface



access-group OUTSIDE_IN in interface outside

route outside 0.0.0.0 0.0.0.0 38.c.c.c 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map cisco 1 set transform-set myset

crypto map dyn-map 65535 ipsec-isakmp dynamic cisco

crypto map dyn-map interface outside

crypto isakmp identity address 

crypto isakmp enable outside

 

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group DefaultL2LGroup ipsec-attributes

 pre-shared-key *****





REMOTE SITE (5505):

ASA Version 8.3(2) 

!

terminal width 132

hostname Mag-ASA

domain-name mag.local



names

dns-guard

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 172.16.1.1 255.255.255.0 

!

interface Vlan2

 nameif outside

 security-level 0

 ip address dhcp setroute 

!

interface Ethernet0/0

 switchport access vlan 2

!

 

interface Ethernet0/1

 speed 100

 duplex full

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

dns domain-lookup inside

dns server-group DefaultDNS

 name-server 172.16.1.11

 domain-name mag.local

object network internal_lan 

 subnet 172.16.1.0 255.255.255.0

object network obj-local 

 subnet 172.16.1.0 255.255.255.0

object network obj-remote 

 subnet 172.17.1.0 255.255.255.0

access-list OUTSIDE_IN extended permit icmp any any echo-reply 

access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 

access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

arp timeout 14400

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

object network internal_lan

 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map ASA2VPN 10 match address LAN2-to-LAN1

crypto map ASA2VPN 10 set peer 38.a.a.a 

crypto map ASA2VPN 10 set transform-set myset

crypto map ASA2VPN 10 set security-association lifetime seconds 86400

crypto map ASA2VPN interface outside

crypto isakmp identity address 

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400



dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 38.a.a.a type ipsec-l2l

tunnel-group 38.a.a.a ipsec-attributes

 pre-shared-key *****

!

Open in new window

0
Comment
Question by:Undisputed
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 334 total points
ID: 34225493
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 166 total points
ID: 34225867
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34226080
Nice one, Pete!
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 34226256
:) Cheers m8y
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 3

Author Comment

by:Undisputed
ID: 34226483
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 334 total points
ID: 34226531
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226619
Will give it a try. Thank u
0
 
LVL 33

Expert Comment

by:digitap
ID: 34424560
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now