?
Solved

Branc office VPN config

Posted on 2013-12-06
3
Medium Priority
?
441 Views
Last Modified: 2014-01-02
Hi,i have an ASA  5505 config and need to preconfig it for a branch office VPN with another 5505 at a remote office.
Is it possible to complete the necessary ios command lines to my config?
It needs the following authentication & encryption settings:
IKE(phase 1) Pre-shared key MD5-HMAC-3DES - Diffie Hellman Group 2 - interval 1440 min
IPSEC(pahes 2) Tunne-MD5-HMAC-3DES PFS disabled Renog.interval 3600 sec
WAN remote site : 80.95.138.136
internal vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24)from local sites needs to be routed to Branch Office vlan.
Subnets on remote site are 172.28.0.0/16,10.30.150.0/24,10.30.252.0/24,10.28.0.0/16
configASA1-XPERTS.txt
0
Comment
Question by:antwerp2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 2000 total points
ID: 39702249
object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.150.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer 80.95.138.136
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
 
 tunnel-group 80.95.138.136 type ipsec-l2l
 tunnel-group 80.95.138.136 ipsec-attributes
  pre-shared-key YOURPRESHAREDKEY
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39703007
Hello renazonse  thank you for the config ,don't i need some static routes to make sure that traffic from my local vlans can be routed to the remote networks? I give you some additional infratructure information also.My catalyst3750X stack performs the intervlan routing from the local vlans : vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24) default gateway on the catalyst3750x stack is the ip from his interface vlan1(10.73.10.10) ,gateway of last resort points to the lan ip from the asa.DHP server (server2K8) default gateway is also the CAT3750x interface vlan1(10.73.10.10).All the other clients ands servers uses the lan ip from the  asa as def.gateway .
cat3750X-29112013expertsexch-con.rtf
0
 
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 2000 total points
ID: 39706347
object-group network LOCAL-LAN
 network-object 10.73.12.0 255.255.255.0

Would need to be added but along as the routes are on the firewall, which they are, all the traffic will be allowed from the firewall out.

Then, you have to create the routes on the router(s) to tell the routers where to send the traffic when the clients talk:

ip route 172.28.0.0 255.255.0.0 10.73.10.1 1
ip route 10.30.150.0 255.255.255.0 10.73.10.1 1
ip route 10.30.252.0 255.255.255.0 10.73.10.1 1
ip route 10.28.0.0 255.255.0.0 10.73.10.1 1

This tells traffic destined for the remote subnet IPs need to go out the firewall.
0

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question