Solved

How to setup site-to-site vpn using cisco asa?

Posted on 2011-09-25
5
610 Views
Last Modified: 2012-05-12
This is using Cisco ASA 5510 firewall. Recently, my management want me to plan to establish a site-to-site vpn with my partner company in other country. My partner also using cisco asa model. BTW, how to do it? What data/info I need?
0
Comment
Question by:MezzutOzil
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 6

Expert Comment

by:ckivml
ID: 36597211
0
 
LVL 6

Expert Comment

by:ckivml
ID: 36597216
Please find Cisco Documentation on below link

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

and Please find the attachment for your reference
A-Cisco-ASA-Site-to-Site-VPN.pdf
0
 
LVL 1

Accepted Solution

by:
fcar807 earned 500 total points
ID: 36597985


ASA VPN settings
2A. Enable VPN terminations on the outside interface.
lab1(config)# crypto isakmp enable outside

2B. Create a transform set (phase 2 settings). This should match the settings defined in step 1O above.

lab1(config)# crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

2C. Define Phase 1, these settings can be shared across multiple VPNs. Therefore if these settings already exist, it may not be necessary to create it. This should match step 1H and 1J above.
If there are existing isakmp policies that do not match your desired settings, use the next available policy #.
lab1(config)# crypto isakmp policy 10
lab1(config-isakmp-policy)# authentication pre-share
lab1(config-isakmp-policy)# encryption 3des
lab1(config-isakmp-policy)# hash sha
lab1(config-isakmp-policy)# group 2
lab1(config-isakmp-policy)# lifetime 86400
lab1(config-isakmp-policy)#exit

2D. Define the local network(s) group. This should match the remote network defined in step 1K above.
lab1(config)# object-group network Local-encrypt
lab1(config-network)# network 172.16.20.0 255.255.255.0
lab1(config-network)# ex
lab1(config)#

2E. Define the remote network(s) group. This should match the local network defined in step 1C above.
lab1(config)# object-group network Remote-encrypt
lab1(config-network)# network 192.168.1.0 255.255.255.0
lab1(config-network)# ex
lab1(config)#

2F. Create an access list that allows traffic from your local network (step 2D) and remote network (step 2E). The access-list name (“remote_vpn” in this example) can be named anything that signifies this tunnel. It is not recommend to use port filtering (for example, allowing only HTTP traffic) as Cisco firewalls do not do a good job of VPN port filtering.
lab1(config)# access-list remote_vpn permit ip object-group Local-encrypt object-group Remote-encrypt

2G. Create a crypto map that ties the Phase 2 settings to the remote peer. The “match address” statement should contain the name of the access-list created in step 2F. The Peer address should match the IP address of the Checkpoint firewall. The transform set will contain the name of the set defined in step 2B. The lifetime should match the Phase 2 lifetime in step 1J.
lab1(config)# crypto map mymap 10 match address remote_vpn
lab1(config)# crypto map mymap 10 set peer 192.168.1.254
lab1(config)# crypto map mymap 10 set transform 3des-sha
lab1(config)# crypto map mymap 10 set security-association lifetime seconds 3600
2H. Define the tunnel type and set the pre-shared key. The pre-shared key should match the key specified in step 1I.

lab1(config)# tunnel-group 192.168.1.254 type ipsec-l2l
lab1(config)# tunnel-group 192.168.1.254 ipsec-attributes
lab1(config-tunnel-ipsec)# pre-shared-key abc123
lab1(config-tunnel-ipsec)# exit

2I. Make sure that the traffic in the VPN is not natted. There are several ways to define nat translations. In the below example, an access list is created and is added to the Nat 0 statement (Nat 0 is not translated) on the inside interface (assuming the local network is behind the inside interface).
lab1(config)# access-list nonat permit ip object-group Local-encrypt object-group Remote-encrypt
lab1(config)# nat (inside) 0 access-list nonat

2J. Define the crypto map that will be used for all VPNs on this firewall. The name of the crypto map should match the name of the map defined in step 2G (“mymap” in the example above). Also specify the interface that will terminate the VPN.
lab1(config)# crypto map mymap interface outside
 
or follow this guide,

http://www.carbonwind.net/VyattaOFR/VyattaCiscos2stunmode/VyattaCiscos2stunmode.htm

Thanks
Frank
0
 

Author Comment

by:MezzutOzil
ID: 36599717
Hi guys,

Let's me go through and get back to you...
0
 

Author Closing Comment

by:MezzutOzil
ID: 36966049
Good
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question