cisco asa 5510 l2l

I have one cisco asa 5510 @ site A  with a public/outside IP of x.x.x.x and with a inside network of 10.10.3.0/24 and 10.10.4.0/24

I have another ASA 5510 @ site B with public/outside IP of y.y.y.y.y and with a inside network of 10.11.3.0/24 and 10.11.4.0/24

I just need a preshared/3des l2l between these sites with the ability to limit to just those inside networks on/from both ends .

Can anyone spit out the steps in needed to do this? I have never setup a l2l and have about 12 hours to at least get this up and running.
What other access lists do I need to block certain services on those networks. For example..I want to allow site B access to the network 10.10.3.0/24 @ site A but only port 80.
spiz79Asked:
Who is Participating?
 
John MeggersNetwork ArchitectCommented:
First, your best bet is to use the wizard that's in ASDM.  The most important aspect is mirrored access-lists on the two ASAs, but other than that, the configs should match.  One ACL should be:

access-list vpn_acl permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

The other:

access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

Here's the rest of the CLI config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside-map 10 match address vpn_acl
crypto map outside-map 10 set peer <y.y.y.y>                  <== (other end of the tunnel)
crypto map outside-map 10 set transform-set ESP-3DES-SHA
crypto map outside-map interface <outside_interface_name>
crypto isakmp enable <outside_interface_name>


You will also need to "no nat" your VPN traffic.  How that's done changed with the 8.3 code release.  Here's the 8.2 version:

access-list no-nat permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 (mirror on other ASA)
nat (inside) 0 access-list no-nat

The 8.3 and later version looks like:

object network obj-local
     subnet 10.10.3.0 255.255.255.0
 
object network obj-remote
     subnet 10.11.3.0 255.255.255.0
 
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote




0
 
fgasimzadeCommented:
You would also need access-lists applied to outside interface to permit traffic flow from one location to another:

access-list outside_access_in permit ip 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0

access-group outside_access_in in interface outside

And vice versa on another ASA

access-list outside_access_in permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0

access-group outside_access_in in interface outside


However, you can use sysopt connection permit-ipsec instead of access lists to permit ALL ipsec traffic between locations
0
 
spiz79Author Commented:
jmeggers,
just to confirm that config is mirrored on the other side correct?
just swap the ips around...?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
spiz79Author Commented:
and ASDM only works on one of the ASA's...the one running 8.2

the other one is running 7.2 and the ASDM  on that one will not finish loading..odd
but a whole other issue that I will deal with later
0
 
spiz79Author Commented:
I guess I dont see the access list for the "intresting traffic or specific port" 80
any addition to the cli config above to include that would be awesome.

Also..do i need to make some static routes as well to reach the inside networks?
If so a example of that would great!
Thanks
0
 
fgasimzadeCommented:
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

Yes, you would also need static routes, for example:

route outside 10.10.3.0 255.255.255.0 remote-peer-ip-address ------- On ASA with 10.11.3.0 subnet

and

route outside 10.11.3.0 255.255.255.0 remote-peer-ip-address --------- On ASA with 10.10.3.0 subnet
0
 
spiz79Author Commented:
access-list vpn_acl permit ip 10.11.3.0 255.255.255.0 10.10.3.0 255.255.255.0 - this is your access list for interesting traffic.

That seems to open the whole subnet. How about to just a specific host in the subnet like 10.10.3.4
port 80?



0
 
fgasimzadeCommented:
Its also possible, but the best practise is to encrypt whole subnet and specify ports in outside access list which is applied to outside interface. I posted an example above
0
 
spiz79Author Commented:
fgasimzade,
just to clarify..apply to outside interface? Eveywhere else say's to apply to inside interface.
I'm almost there and you and jmeggers is about to get some points.
0
 
fgasimzadeCommented:
Well, it is not about the points in my case.. I'm just trying to help.

Access-list should be applied to outside interface since this interface faces "untrusted" network and it block everything from untrusted to inside by default
0
 
spiz79Author Commented:
fgasimzade

to just allow for example port 80 I don't see the example you mention...should it be a extended ACL applied to the "policy"?
could you type an example out for me with the mentioned subnet examples I gave
0
 
fgasimzadeCommented:
Here is an example:

access-list outside_access_in permit tcp 10.10.3.0 255.255.255.0 10.11.3.0 255.255.255.0 eq 80

access-group outside_access_in in interface outside
0
 
spiz79Author Commented:
I tried the steps and it tore down all my other VPN l2l's
Come to find out you can only have 1 cryptomap per interface so I had to nest the new site-to-site to the existing cryptomap.

So i did that and after i put in accesslists and no nat
the Old l2l's stayed up but couldn't pass traffic to their local lans..

any clue?
0
 
spiz79Author Commented:
After I enter this command is when stuff  goes weird

access-list no-nat permit ip object-group site1 object-group site2 (mirror on other ASA)
nat (inside) 0 access-list no-nat

I get this error via syslog. dont pay attention to the IP's

Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside:10.100.1.8/58430 dst inside:10.20.2.11/135 denied due to NAT reverse path failure
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.