Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Branc office VPN config

Posted on 2013-12-06
3
Medium Priority
?
447 Views
Last Modified: 2014-01-02
Hi,i have an ASA  5505 config and need to preconfig it for a branch office VPN with another 5505 at a remote office.
Is it possible to complete the necessary ios command lines to my config?
It needs the following authentication & encryption settings:
IKE(phase 1) Pre-shared key MD5-HMAC-3DES - Diffie Hellman Group 2 - interval 1440 min
IPSEC(pahes 2) Tunne-MD5-HMAC-3DES PFS disabled Renog.interval 3600 sec
WAN remote site : 80.95.138.136
internal vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24)from local sites needs to be routed to Branch Office vlan.
Subnets on remote site are 172.28.0.0/16,10.30.150.0/24,10.30.252.0/24,10.28.0.0/16
configASA1-XPERTS.txt
0
Comment
Question by:antwerp2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Britt Thompson earned 2000 total points
ID: 39702249
object-group network LOCAL-LAN
 network-object 10.73.10.0 255.255.255.0
 network-object 10.73.11.0 255.255.255.0

object-group network REMOTE-LAN
 network-object 172.28.0.0 255.255.0.0
 network-object 10.30.150.0 255.255.255.0
 network-object 10.30.252.0 255.255.255.0
 network-object 10.28.0.0 255.255.0.0
 
access-list NONAT extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN
access-list CRYPTO-BRANCH extended permit ip object-group LOCAL-LAN object-group REMOTE-LAN

nat (inside) 0 access-list NONAT

crypto ipsec security-association lifetime seconds 3600
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address CRYPTO-BRANCH
crypto map VPNMAP 1 set peer 80.95.138.136
crypto map VPNMAP 1 set transform-set VPNSET
crypto map VPNMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 1440
 
 tunnel-group 80.95.138.136 type ipsec-l2l
 tunnel-group 80.95.138.136 ipsec-attributes
  pre-shared-key YOURPRESHAREDKEY
0
 
LVL 1

Author Comment

by:antwerp2007
ID: 39703007
Hello renazonse  thank you for the config ,don't i need some static routes to make sure that traffic from my local vlans can be routed to the remote networks? I give you some additional infratructure information also.My catalyst3750X stack performs the intervlan routing from the local vlans : vlan1(10.73.10.0/24)-vlan2(10.73.11.0/24)-vlan3(10.73.12.0/24) default gateway on the catalyst3750x stack is the ip from his interface vlan1(10.73.10.10) ,gateway of last resort points to the lan ip from the asa.DHP server (server2K8) default gateway is also the CAT3750x interface vlan1(10.73.10.10).All the other clients ands servers uses the lan ip from the  asa as def.gateway .
cat3750X-29112013expertsexch-con.rtf
0
 
LVL 30

Assisted Solution

by:Britt Thompson
Britt Thompson earned 2000 total points
ID: 39706347
object-group network LOCAL-LAN
 network-object 10.73.12.0 255.255.255.0

Would need to be added but along as the routes are on the firewall, which they are, all the traffic will be allowed from the firewall out.

Then, you have to create the routes on the router(s) to tell the routers where to send the traffic when the clients talk:

ip route 172.28.0.0 255.255.0.0 10.73.10.1 1
ip route 10.30.150.0 255.255.255.0 10.73.10.1 1
ip route 10.30.252.0 255.255.255.0 10.73.10.1 1
ip route 10.28.0.0 255.255.0.0 10.73.10.1 1

This tells traffic destined for the remote subnet IPs need to go out the firewall.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question