Improve company productivity with a Business Account.Sign Up

x
?
Solved

Branc office VPN config

Posted on 2013-12-06
3
Medium Priority
?
462 Views
Last Modified: 2014-01-02
Hi,i have an ASA  5505 config and need to preconfig it for a branch office VPN with another 5505 at a remote office.
Is it possible to complete the necessary ios command lines to my config?
It needs the following authentication & encryption settings:
IKE(phase 1) Pre-shared key MD5-HMAC-3DES - Diffie Hellman Group 2 - interval 1440 min
IPSEC(pahes 2) Tunne-MD5-HMAC-3DES PFS disabled Renog.interval 3600 sec
WAN remote site : 80.95.138.136
internal vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24)from local sites needs to be routed to Branch Office vlan.
Subnets on remote site are 172.28.0.0/16,10.30.150.0/24,10.30.252.0/24,10.28.0.0/16
configASA1-XPERTS.txt
0
Comment
Question by:antwerp2007
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 2000 total points
ID: 39702249
object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.150.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer 80.95.138.136
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
 
 tunnel-group 80.95.138.136 type ipsec-l2l
 tunnel-group 80.95.138.136 ipsec-attributes
  pre-shared-key YOURPRESHAREDKEY
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39703007
Hello renazonse  thank you for the config ,don't i need some static routes to make sure that traffic from my local vlans can be routed to the remote networks? I give you some additional infratructure information also.My catalyst3750X stack performs the intervlan routing from the local vlans : vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24) default gateway on the catalyst3750x stack is the ip from his interface vlan1(10.73.10.10) ,gateway of last resort points to the lan ip from the asa.DHP server (server2K8) default gateway is also the CAT3750x interface vlan1(10.73.10.10).All the other clients ands servers uses the lan ip from the  asa as def.gateway .
cat3750X-29112013expertsexch-con.rtf
0
 
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 2000 total points
ID: 39706347
object-group network LOCAL-LAN
 network-object 10.73.12.0 255.255.255.0

Would need to be added but along as the routes are on the firewall, which they are, all the traffic will be allowed from the firewall out.

Then, you have to create the routes on the router(s) to tell the routers where to send the traffic when the clients talk:

ip route 172.28.0.0 255.255.0.0 10.73.10.1 1
ip route 10.30.150.0 255.255.255.0 10.73.10.1 1
ip route 10.30.252.0 255.255.255.0 10.73.10.1 1
ip route 10.28.0.0 255.255.0.0 10.73.10.1 1

This tells traffic destined for the remote subnet IPs need to go out the firewall.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question