Solved

cisco asa 5510 l2l

Posted on 2011-09-21
14
454 Views
Last Modified: 2012-05-12
I have one cisco asa 5510 @ site A  with a public/outside IP of x.x.x.x and with a inside network of 10.10.3.0/24 and 10.10.4.0/24

I have another ASA 5510 @ site B with public/outside IP of y.y.y.y.y and with a inside network of 10.11.3.0/24 and 10.11.4.0/24

I just need a preshared/3des l2l between these sites with the ability to limit to just those inside networks on/from both ends .

Can anyone spit out the steps in needed to do this? I have never setup a l2l and have about 12 hours to at least get this up and running.
What other access lists do I need to block certain services on those networks. For example..I want to allow site B access to the network 10.10.3.0/24 @ site A but only port 80.
0
Comment
Question by:spiz79
  • 8
  • 5
14 Comments
 
LVL 18

Accepted Solution

by:
jmeggers earned 250 total points
ID: 36578181
First, your best bet is to use the wizard that's in ASDM.  The most important aspect is mirrored access-lists on the two ASAs, but other than that, the configs should match.  One ACL should be:

access-list vpn_acl permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

The other:

access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

Here's the rest of the CLI config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 10 match address vpn_acl
crypto map outside-map 10 set peer <y.y.y.y>                  <== (other end of the tunnel)
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map interface <outside_interface_name>
crypto isakmp enable <outside_interface_name>


You will also need to "no nat" your VPN traffic.  How that's done changed with the 8.3 code release.  Here's the 8.2 version:

access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 (mirror on other ASA)
nat (inside) 0 access-list no-nat

The 8.3 and later version looks like:

object network obj-local
     subnet 10.10.3.0 255.255.255.0
 
object network obj-remote
     subnet 10.11.3.0 255.255.255.0
 
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote




0
 
LVL 18

Assisted Solution

by:fgasimzade
fgasimzade earned 250 total points
ID: 36579280
You would also need access-lists applied to outside interface to permit traffic flow from one location to another:

access-list outside_access_in permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

access-group outside_access_in in interface outside

And vice versa on another ASA

access-list outside_access_in permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

access-group outside_access_in in interface outside


However, you can use sysopt connection permit-ipsec instead of access lists to permit ALL ipsec traffic between locations
0
 

Author Comment

by:spiz79
ID: 36579613
jmeggers,
just to confirm that config is mirrored on the other side correct?
just swap the ips around...?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:spiz79
ID: 36579639
and ASDM only works on one of the ASA's...the one running 8.2

the other one is running 7.2 and the ASDM  on that one will not finish loading..odd
but a whole other issue that I will deal with later
0
 

Author Comment

by:spiz79
ID: 36579973
I guess I dont see the access list for the "intresting traffic or specific port" 80
any addition to the cli config above to include that would be awesome.

Also..do i need to make some static routes as well to reach the inside networks?
If so a example of that would great!
Thanks
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36580035
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

Yes, you would also need static routes, for example:

route outside 10.10.3.0 255.255.255.0 remote-peer-ip-address ------- On ASA with 10.11.3.0 subnet

and

route outside 10.11.3.0 255.255.255.0 remote-peer-ip-address --------- On ASA with 10.10.3.0 subnet
0
 

Author Comment

by:spiz79
ID: 36581129
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

That seems to open the whole subnet. How about to just a specific host in the subnet like 10.10.3.4
port 80?



0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36581400
Its also possible, but the best practise is to encrypt whole subnet and specify ports in outside access list which is applied to outside interface. I posted an example above
0
 

Author Comment

by:spiz79
ID: 36582349
fgasimzade,
just to clarify..apply to outside interface? Eveywhere else say's to apply to inside interface.
I'm almost there and you and jmeggers is about to get some points.
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36582403
Well, it is not about the points in my case.. I'm just trying to help.

Access-list should be applied to outside interface since this interface faces "untrusted" network and it block everything from untrusted to inside by default
0
 

Author Comment

by:spiz79
ID: 36584184
fgasimzade

to just allow for example port 80 I don't see the example you mention...should it be a extended ACL applied to the "policy"?
could you type an example out for me with the mentioned subnet examples I gave
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 36585184
Here is an example:

access-list outside_access_in permit tcp 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 eq 80

access-group outside_access_in in interface outside
0
 

Author Comment

by:spiz79
ID: 36712003
I tried the steps and it tore down all my other VPN l2l's
Come to find out you can only have 1 cryptomap per interface so I had to nest the new site-to-site to the existing cryptomap.

So i did that and after i put in accesslists and no nat
the Old l2l's stayed up but couldn't pass traffic to their local lans..

any clue?
0
 

Author Comment

by:spiz79
ID: 36712942
After I enter this command is when stuff  goes weird

access-list no-nat permit ip object-group site1 object-group site2 (mirror on other ASA)
nat (inside) 0 access-list no-nat

I get this error via syslog. dont pay attention to the IP's

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.100.1.8/58430 dst inside:10.20.2.11/135 denied due to NAT reverse path failure
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question