Solved

Branc office VPN config

Posted on 2013-12-06
3
432 Views
Last Modified: 2014-01-02
Hi,i have an ASA  5505 config and need to preconfig it for a branch office VPN with another 5505 at a remote office.
Is it possible to complete the necessary ios command lines to my config?
It needs the following authentication & encryption settings:
IKE(phase 1) Pre-shared key MD5-HMAC-3DES - Diffie Hellman Group 2 - interval 1440 min
IPSEC(pahes 2) Tunne-MD5-HMAC-3DES PFS disabled Renog.interval 3600 sec
WAN remote site : 80.95.138.136
internal vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24)from local sites needs to be routed to Branch Office vlan.
Subnets on remote site are 172.28.0.0/16,10.30.150.0/24,10.30.252.0/24,10.28.0.0/16
configASA1-XPERTS.txt
0
Comment
Question by:antwerp2007
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 500 total points
ID: 39702249
object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.150.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer 80.95.138.136
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
 
 tunnel-group 80.95.138.136 type ipsec-l2l
 tunnel-group 80.95.138.136 ipsec-attributes
  pre-shared-key YOURPRESHAREDKEY
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39703007
Hello renazonse  thank you for the config ,don't i need some static routes to make sure that traffic from my local vlans can be routed to the remote networks? I give you some additional infratructure information also.My catalyst3750X stack performs the intervlan routing from the local vlans : vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24) default gateway on the catalyst3750x stack is the ip from his interface vlan1(10.73.10.10) ,gateway of last resort points to the lan ip from the asa.DHP server (server2K8) default gateway is also the CAT3750x interface vlan1(10.73.10.10).All the other clients ands servers uses the lan ip from the  asa as def.gateway .
cat3750X-29112013expertsexch-con.rtf
0
 
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 500 total points
ID: 39706347
object-group network LOCAL-LAN
 network-object 10.73.12.0 255.255.255.0

Would need to be added but along as the routes are on the firewall, which they are, all the traffic will be allowed from the firewall out.

Then, you have to create the routes on the router(s) to tell the routers where to send the traffic when the clients talk:

ip route 172.28.0.0 255.255.0.0 10.73.10.1 1
ip route 10.30.150.0 255.255.255.0 10.73.10.1 1
ip route 10.30.252.0 255.255.255.0 10.73.10.1 1
ip route 10.28.0.0 255.255.0.0 10.73.10.1 1

This tells traffic destined for the remote subnet IPs need to go out the firewall.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question