• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 475
  • Last Modified:

cisco asa 5510 l2l

I have one cisco asa 5510 @ site A  with a public/outside IP of x.x.x.x and with a inside network of 10.10.3.0/24 and 10.10.4.0/24

I have another ASA 5510 @ site B with public/outside IP of y.y.y.y.y and with a inside network of 10.11.3.0/24 and 10.11.4.0/24

I just need a preshared/3des l2l between these sites with the ability to limit to just those inside networks on/from both ends .

Can anyone spit out the steps in needed to do this? I have never setup a l2l and have about 12 hours to at least get this up and running.
What other access lists do I need to block certain services on those networks. For example..I want to allow site B access to the network 10.10.3.0/24 @ site A but only port 80.
0
spiz79
Asked:
spiz79
  • 8
  • 5
2 Solutions
 
jmeggersSr. Network and Security EngineerCommented:
First, your best bet is to use the wizard that's in ASDM.  The most important aspect is mirrored access-lists on the two ASAs, but other than that, the configs should match.  One ACL should be:

access-list vpn_acl permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

The other:

access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

Here's the rest of the CLI config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 10 match address vpn_acl
crypto map outside-map 10 set peer <y.y.y.y>                  <== (other end of the tunnel)
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map interface <outside_interface_name>
crypto isakmp enable <outside_interface_name>


You will also need to "no nat" your VPN traffic.  How that's done changed with the 8.3 code release.  Here's the 8.2 version:

access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 (mirror on other ASA)
nat (inside) 0 access-list no-nat

The 8.3 and later version looks like:

object network obj-local
     subnet 10.10.3.0 255.255.255.0
 
object network obj-remote
     subnet 10.11.3.0 255.255.255.0
 
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote




0
 
fgasimzadeCommented:
You would also need access-lists applied to outside interface to permit traffic flow from one location to another:

access-list outside_access_in permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

access-group outside_access_in in interface outside

And vice versa on another ASA

access-list outside_access_in permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

access-group outside_access_in in interface outside


However, you can use sysopt connection permit-ipsec instead of access lists to permit ALL ipsec traffic between locations
0
 
spiz79Author Commented:
jmeggers,
just to confirm that config is mirrored on the other side correct?
just swap the ips around...?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
spiz79Author Commented:
and ASDM only works on one of the ASA's...the one running 8.2

the other one is running 7.2 and the ASDM  on that one will not finish loading..odd
but a whole other issue that I will deal with later
0
 
spiz79Author Commented:
I guess I dont see the access list for the "intresting traffic or specific port" 80
any addition to the cli config above to include that would be awesome.

Also..do i need to make some static routes as well to reach the inside networks?
If so a example of that would great!
Thanks
0
 
fgasimzadeCommented:
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

Yes, you would also need static routes, for example:

route outside 10.10.3.0 255.255.255.0 remote-peer-ip-address ------- On ASA with 10.11.3.0 subnet

and

route outside 10.11.3.0 255.255.255.0 remote-peer-ip-address --------- On ASA with 10.10.3.0 subnet
0
 
spiz79Author Commented:
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

That seems to open the whole subnet. How about to just a specific host in the subnet like 10.10.3.4
port 80?



0
 
fgasimzadeCommented:
Its also possible, but the best practise is to encrypt whole subnet and specify ports in outside access list which is applied to outside interface. I posted an example above
0
 
spiz79Author Commented:
fgasimzade,
just to clarify..apply to outside interface? Eveywhere else say's to apply to inside interface.
I'm almost there and you and jmeggers is about to get some points.
0
 
fgasimzadeCommented:
Well, it is not about the points in my case.. I'm just trying to help.

Access-list should be applied to outside interface since this interface faces "untrusted" network and it block everything from untrusted to inside by default
0
 
spiz79Author Commented:
fgasimzade

to just allow for example port 80 I don't see the example you mention...should it be a extended ACL applied to the "policy"?
could you type an example out for me with the mentioned subnet examples I gave
0
 
fgasimzadeCommented:
Here is an example:

access-list outside_access_in permit tcp 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 eq 80

access-group outside_access_in in interface outside
0
 
spiz79Author Commented:
I tried the steps and it tore down all my other VPN l2l's
Come to find out you can only have 1 cryptomap per interface so I had to nest the new site-to-site to the existing cryptomap.

So i did that and after i put in accesslists and no nat
the Old l2l's stayed up but couldn't pass traffic to their local lans..

any clue?
0
 
spiz79Author Commented:
After I enter this command is when stuff  goes weird

access-list no-nat permit ip object-group site1 object-group site2 (mirror on other ASA)
nat (inside) 0 access-list no-nat

I get this error via syslog. dont pay attention to the IP's

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.100.1.8/58430 dst inside:10.20.2.11/135 denied due to NAT reverse path failure
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now