Solved

Branc office VPN config

Posted on 2013-12-06
3
421 Views
Last Modified: 2014-01-02
Hi,i have an ASA  5505 config and need to preconfig it for a branch office VPN with another 5505 at a remote office.
Is it possible to complete the necessary ios command lines to my config?
It needs the following authentication & encryption settings:
IKE(phase 1) Pre-shared key MD5-HMAC-3DES - Diffie Hellman Group 2 - interval 1440 min
IPSEC(pahes 2) Tunne-MD5-HMAC-3DES PFS disabled Renog.interval 3600 sec
WAN remote site : 80.95.138.136
internal vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24)from local sites needs to be routed to Branch Office vlan.
Subnets on remote site are 172.28.0.0/16,10.30.150.0/24,10.30.252.0/24,10.28.0.0/16
configASA1-XPERTS.txt
0
Comment
Question by:antwerp2007
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
renazonse earned 500 total points
ID: 39702249
object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.150.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer 80.95.138.136
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
 
 tunnel-group 80.95.138.136 type ipsec-l2l
 tunnel-group 80.95.138.136 ipsec-attributes
  pre-shared-key YOURPRESHAREDKEY
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39703007
Hello renazonse  thank you for the config ,don't i need some static routes to make sure that traffic from my local vlans can be routed to the remote networks? I give you some additional infratructure information also.My catalyst3750X stack performs the intervlan routing from the local vlans : vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24) default gateway on the catalyst3750x stack is the ip from his interface vlan1(10.73.10.10) ,gateway of last resort points to the lan ip from the asa.DHP server (server2K8) default gateway is also the CAT3750x interface vlan1(10.73.10.10).All the other clients ands servers uses the lan ip from the  asa as def.gateway .
cat3750X-29112013expertsexch-con.rtf
0
 
LVL 30

Assisted Solution

by:renazonse
renazonse earned 500 total points
ID: 39706347
object-group network LOCAL-LAN
 network-object 10.73.12.0 255.255.255.0

Would need to be added but along as the routes are on the firewall, which they are, all the traffic will be allowed from the firewall out.

Then, you have to create the routes on the router(s) to tell the routers where to send the traffic when the clients talk:

ip route 172.28.0.0 255.255.0.0 10.73.10.1 1
ip route 10.30.150.0 255.255.255.0 10.73.10.1 1
ip route 10.30.252.0 255.255.255.0 10.73.10.1 1
ip route 10.28.0.0 255.255.0.0 10.73.10.1 1

This tells traffic destined for the remote subnet IPs need to go out the firewall.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now