jgrammer42
asked on
Cisco ASA IPSec VPN configuration
Recently, I upgraded my older 5540 from 8.03 to 9.02 of the IOS.
I know the exact commands below to create an IPSec tunnel with IOS 8.03. Using the commands below, what are the new commands with IOS version 9.x to set up an IPSec tunnel?
access-list VPN extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list REMOTESITE extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set jdgset2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map jdgmap 40 match address REMOTESITE
crypto map jdgmap 40 set peer 72.61.229.194
crypto map jdgmap 40 set transform-set jdgset2
crypto map jdgmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group 72.61.229.194 type ipsec-l2l
tunnel-group 72.61.229.194 ipsec-attributes
pre-shared-key cisco123
Thank you for any and all help,
Jeff
(why is Cisco ALWAYS screwing with the command line commands????!!!...sorry, had to get that off of my chest.)
I know the exact commands below to create an IPSec tunnel with IOS 8.03. Using the commands below, what are the new commands with IOS version 9.x to set up an IPSec tunnel?
access-list VPN extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list REMOTESITE extended permit ip 192.168.200.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set jdgset2 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map jdgmap 40 match address REMOTESITE
crypto map jdgmap 40 set peer 72.61.229.194
crypto map jdgmap 40 set transform-set jdgset2
crypto map jdgmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
tunnel-group 72.61.229.194 type ipsec-l2l
tunnel-group 72.61.229.194 ipsec-attributes
pre-shared-key cisco123
Thank you for any and all help,
Jeff
(why is Cisco ALWAYS screwing with the command line commands????!!!...sorry, had to get that off of my chest.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let me repeat it,
By default all your LAN network traffic will get PAT/NAT to reach internet/outside. Hence you might need to do NO NAT for your LAN network to reach the remote office LAN network thru IPSec
nat (inside,outside) source static 192.168.200.0 192.168.200.0 destination static 192.168.1.0 192.168.1.0
By default all your LAN network traffic will get PAT/NAT to reach internet/outside. Hence you might need to do NO NAT for your LAN network to reach the remote office LAN network thru IPSec
nat (inside,outside) source static 192.168.200.0 192.168.200.0 destination static 192.168.1.0 192.168.1.0
ASKER
Worked to perfection.
Thank you VERY much
Thank you VERY much
ASKER
Thank you I will try this tomorrow.
I did not understand the last sentence of your post though. My apologies. Would you repeat that?
Thank you again
jeff