Solved

cisco asa 5510 l2l

Posted on 2011-09-21
14
421 Views
Last Modified: 2012-05-12
I have one cisco asa 5510 @ site A  with a public/outside IP of x.x.x.x and with a inside network of 10.10.3.0/24 and 10.10.4.0/24

I have another ASA 5510 @ site B with public/outside IP of y.y.y.y.y and with a inside network of 10.11.3.0/24 and 10.11.4.0/24

I just need a preshared/3des l2l between these sites with the ability to limit to just those inside networks on/from both ends .

Can anyone spit out the steps in needed to do this? I have never setup a l2l and have about 12 hours to at least get this up and running.
What other access lists do I need to block certain services on those networks. For example..I want to allow site B access to the network 10.10.3.0/24 @ site A but only port 80.
0
Comment
Question by:spiz79
  • 8
  • 5
14 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
Comment Utility
First, your best bet is to use the wizard that's in ASDM.  The most important aspect is mirrored access-lists on the two ASAs, but other than that, the configs should match.  One ACL should be:

access-list vpn_acl permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

The other:

access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

Here's the rest of the CLI config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 10 match address vpn_acl
crypto map outside-map 10 set peer <y.y.y.y>                  <== (other end of the tunnel)
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map interface <outside_interface_name>
crypto isakmp enable <outside_interface_name>


You will also need to "no nat" your VPN traffic.  How that's done changed with the 8.3 code release.  Here's the 8.2 version:

access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 (mirror on other ASA)
nat (inside) 0 access-list no-nat

The 8.3 and later version looks like:

object network obj-local
     subnet 10.10.3.0 255.255.255.0
 
object network obj-remote
     subnet 10.11.3.0 255.255.255.0
 
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote




0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
Comment Utility
You would also need access-lists applied to outside interface to permit traffic flow from one location to another:

access-list outside_access_in permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

access-group outside_access_in in interface outside

And vice versa on another ASA

access-list outside_access_in permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

access-group outside_access_in in interface outside


However, you can use sysopt connection permit-ipsec instead of access lists to permit ALL ipsec traffic between locations
0
 

Author Comment

by:spiz79
Comment Utility
jmeggers,
just to confirm that config is mirrored on the other side correct?
just swap the ips around...?
0
 

Author Comment

by:spiz79
Comment Utility
and ASDM only works on one of the ASA's...the one running 8.2

the other one is running 7.2 and the ASDM  on that one will not finish loading..odd
but a whole other issue that I will deal with later
0
 

Author Comment

by:spiz79
Comment Utility
I guess I dont see the access list for the "intresting traffic or specific port" 80
any addition to the cli config above to include that would be awesome.

Also..do i need to make some static routes as well to reach the inside networks?
If so a example of that would great!
Thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

Yes, you would also need static routes, for example:

route outside 10.10.3.0 255.255.255.0 remote-peer-ip-address ------- On ASA with 10.11.3.0 subnet

and

route outside 10.11.3.0 255.255.255.0 remote-peer-ip-address --------- On ASA with 10.10.3.0 subnet
0
 

Author Comment

by:spiz79
Comment Utility
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

That seems to open the whole subnet. How about to just a specific host in the subnet like 10.10.3.4
port 80?



0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Its also possible, but the best practise is to encrypt whole subnet and specify ports in outside access list which is applied to outside interface. I posted an example above
0
 

Author Comment

by:spiz79
Comment Utility
fgasimzade,
just to clarify..apply to outside interface? Eveywhere else say's to apply to inside interface.
I'm almost there and you and jmeggers is about to get some points.
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Well, it is not about the points in my case.. I'm just trying to help.

Access-list should be applied to outside interface since this interface faces "untrusted" network and it block everything from untrusted to inside by default
0
 

Author Comment

by:spiz79
Comment Utility
fgasimzade

to just allow for example port 80 I don't see the example you mention...should it be a extended ACL applied to the "policy"?
could you type an example out for me with the mentioned subnet examples I gave
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
Here is an example:

access-list outside_access_in permit tcp 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 eq 80

access-group outside_access_in in interface outside
0
 

Author Comment

by:spiz79
Comment Utility
I tried the steps and it tore down all my other VPN l2l's
Come to find out you can only have 1 cryptomap per interface so I had to nest the new site-to-site to the existing cryptomap.

So i did that and after i put in accesslists and no nat
the Old l2l's stayed up but couldn't pass traffic to their local lans..

any clue?
0
 

Author Comment

by:spiz79
Comment Utility
After I enter this command is when stuff  goes weird

access-list no-nat permit ip object-group site1 object-group site2 (mirror on other ASA)
nat (inside) 0 access-list no-nat

I get this error via syslog. dont pay attention to the IP's

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.100.1.8/58430 dst inside:10.20.2.11/135 denied due to NAT reverse path failure
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now