Using the above network diagram, the scripts below can be applied to both ASA’s to build a site to site VPN tunnel. The firewall on the left is a Cisco ASA and device on the right is a Cisco Router. The router needs to have an IOS that supports VPN’s. You can test this by typing ‘crypto ?’ and see if it has the commands available to make the tunnel. Usually a router with a K9 image on it is good enough. If not then it’ll require the security image to have IPSec capabilities.
After applying the config below the device at 192.168.11.2 should be able to access 172.16.22.2 and vice versa.
BLUE ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! The policy number is arbitrary. The parameters inside the policy
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make sure that the VPN traffic is NOT NAT'd
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
RED ROUTER WITH CRYPTO SUPPORT
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! Note: The default isakmp settings on a router are Encr:DES Hash:SHA DH:Group 1
! If these settings are used, they will not show under 'show run'
crypto isakmp policy 5
encr aes
hash sha
authentication pre-share
group 2
crypto isakmp key sekretk3y address 11.11.11.11
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
ip access-list extended ACL-VPN
permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 11.11.11.11
set transform-set AES-SHA
match address ACL-VPN
interface Fa0/0
crypto map VPN-TUNNEL
ip nat outside
interface Vlan2
ip nat inside
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
ip route 192.168.11.0 255.255.255.0 22.22.22.1
! Make sure that the VPN traffic is NOT NAT'd
ip access-list extended ACL-NAT
deny ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip any any
ip nat inside source list ACL-NAT interface Fa0/0 overload
Comments