Cisco ASA IPSec VPN configuration

Recently, I upgraded my older 5540 from 8.03 to 9.02 of the IOS.

I know the exact commands below to create an IPSec tunnel with IOS 8.03.  Using the commands below, what are the new commands with IOS version 9.x to set up an IPSec tunnel?

access-list VPN extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list REMOTESITE extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set jdgset2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map jdgmap 40 match address REMOTESITE
crypto map jdgmap 40 set peer 72.61.229.194
crypto map jdgmap 40 set transform-set jdgset2
crypto map jdgmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
tunnel-group 72.61.229.194 type ipsec-l2l
tunnel-group 72.61.229.194 ipsec-attributes
 pre-shared-key cisco123

Thank you for any and all help,
Jeff


(why is Cisco ALWAYS screwing with the command line commands????!!!...sorry, had to get that off of my chest.)
jgrammer42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
//IPsec phase 1 configuration (IKEv1)

ciscoasa(config)# crypto ikev1 policy 1
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption aes-256
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 5
ciscoasa(config-ikev1-policy)# lifetime 3600
ciscoasa(config-ikev1-policy)# exit
ciscoasa(config)# crypto ikev1 enable outside

//Define transform-set using AES-256 and SHA-1

ciscoasa(config)# crypto ipsec ikev1 transform-set aesset esp-aes-256 esp-sha-hmac

//Define access-list for local and remote network

ciscoasa(config)# access-list ipsec_access_list extended permit ip 10.1.1.0 255.255.255.0 192.168.30.0 255.255.255.0

//Define tunnel-group for LAN to LAN IPsec VPN connection

ciscoasa(config)# tunnel-group 210.211.10.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 210.211.10.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key password123
ciscoasa(config-tunnel-ipsec)# exit

//IPsec phase 2 configuration

ciscoasa(config)# crypto map ipsecmap 1 match address ipsec_access_list
ciscoasa(config)# crypto map ipsecmap 1 set peer 210.211.10.1
ciscoasa(config)# crypto map ipsecmap 1 set ikev1 transform-set aesset
ciscoasa(config)# crypto map ipsecmap 1 set pfs group5
ciscoasa(config)# crypto map ipsecmap 1 set security-association lifetime seconds 28800
ciscoasa(config)# crypto map ipsecmap interface outside



Note:- You need you have no nat for your interesting traffic

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jgrammer42Author Commented:
Netexpert

Thank you I will try this tomorrow.

I did not understand the last sentence of your post though.  My apologies.  Would you repeat that?

Thank you again
jeff
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
Let me repeat it,

By default all your LAN network traffic will get PAT/NAT to reach internet/outside. Hence you might need to do NO NAT for your LAN network to reach the remote office LAN network thru IPSec


nat (inside,outside) source static  192.168.200.0 192.168.200.0 destination static 192.168.1.0 192.168.1.0
jgrammer42Author Commented:
Worked to perfection.

Thank you VERY much
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.