Solved

Site to Site VPN Cisco ASA 8.3 dynamic to static

Posted on 2010-11-28
9
3,944 Views
Last Modified: 2012-05-10
Can someone please assist me in my ASA configurations for a VPN connection between a central office and a remote office.  The central office has a static IP and is using an ASA 5510 and the remote site is using a 5505 with a dynamically assigned IP.  Attached is the configs for both.

Any help is greatly appreciated!

ASA 5510 (Central Office)
ASA Version 8.3(2) 
!
hostname MGMTCOasa
domain-name mgmtco.local
enable password <removed>
passwd <removed>
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 38.a.a.a 255.255.255.224 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 172.17.1.1 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.17.1.11
 domain-name mgmtco.local
object network internal_lan 
 subnet 172.17.1.0 255.255.255.0
object network obj-local 
 subnet 172.17.1.0 255.255.255.0
object network obj-remote 
 subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN1-to-LAN2 extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.17.1.0 255.255.255.0 172.16.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
!
object network internal_lan
 nat (inside,outside) dynamic interface

access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 38.c.c.c 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 65535 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
 
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *****


REMOTE SITE (5505):
ASA Version 8.3(2) 
!
terminal width 132
hostname Mag-ASA
domain-name mag.local

names
dns-guard
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
 
interface Ethernet0/1
 speed 100
 duplex full
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 172.16.1.11
 domain-name mag.local
object network internal_lan 
 subnet 172.16.1.0 255.255.255.0
object network obj-local 
 subnet 172.16.1.0 255.255.255.0
object network obj-remote 
 subnet 172.17.1.0 255.255.255.0
access-list OUTSIDE_IN extended permit icmp any any echo-reply 
access-list LAN2-to-LAN1 extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.16.1.0 255.255.255.0 172.17.1.0 255.255.255.0 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
arp timeout 14400
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
object network internal_lan
 nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ASA2VPN 10 match address LAN2-to-LAN1
crypto map ASA2VPN 10 set peer 38.a.a.a 
crypto map ASA2VPN 10 set transform-set myset
crypto map ASA2VPN 10 set security-association lifetime seconds 86400
crypto map ASA2VPN interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 38.a.a.a type ipsec-l2l
tunnel-group 38.a.a.a ipsec-attributes
 pre-shared-key *****
!

Open in new window

0
Comment
Question by:Undisputed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
9 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 334 total points
ID: 34225493
Use EZVPN. Setup the 5510 as Server and the 5505 as client
EZVPN server (only difference is the NAT 0 statement)
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

Client config:
You will have to remove this statement
  >nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5505/quick/guide/remcli.html
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ezvpn505.html#wp1019263
0
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 166 total points
ID: 34225867
Vote #2 Easy VPN is simple to setup  http://www.petenetlive.com/KB/Article/0000337.htm
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 34226080
Nice one, Pete!
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 57

Expert Comment

by:Pete Long
ID: 34226256
:) Cheers m8y
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226483
I'm aware that easyvpn is a solution but isn't there a solution using the way I started above.

Are there pros and cons to using one method over the other?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 334 total points
ID: 34226531
You need a specified peer. We *used* to be able to specify 0.0.0.0 as the peer in the old PIX days, but not so with the ASA.

You can try this configuration, but ASA 8.3 changed a lot of things and you might not get the same results. Obviously the NAT configuration is totally different.
http://ashcisasa.blogspot.com/
0
 
LVL 3

Author Comment

by:Undisputed
ID: 34226619
Will give it a try. Thank u
0
 
LVL 33

Expert Comment

by:digitap
ID: 34424560
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

631 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question