https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629417#M196134 <P>Hello,</P><P>&nbsp;</P><P>I have designing a IPSEC VPN connect but it looks not like general example.&nbsp;&nbsp; Following environment setup description with network diagram for reference.&nbsp; Could you please advise?</P><P>&nbsp;</P><P>Environment Setup</P><P>- Form IPSEC VPN between two site via ASA, which ASA is routable facing to Internet<BR />- SERVER default gateway is Internal L3 Switch<BR />- L3 Switch default gateway is ASA<BR />- NO NAT require between ASA to SERVER</P><P>Question: How to config IPSEC site-to-site VPN to establish connection between LAN A &amp; LAN B? &nbsp;</P><P>&nbsp;</P><P>Thanks!</P> Tue, 12 Mar 2019 05:38:11 GMT Machi Ma 2019-03-12T05:38:11Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629417#M196134 <P>Hello,</P><P>&nbsp;</P><P>I have designing a IPSEC VPN connect but it looks not like general example.&nbsp;&nbsp; Following environment setup description with network diagram for reference.&nbsp; Could you please advise?</P><P>&nbsp;</P><P>Environment Setup</P><P>- Form IPSEC VPN between two site via ASA, which ASA is routable facing to Internet<BR />- SERVER default gateway is Internal L3 Switch<BR />- L3 Switch default gateway is ASA<BR />- NO NAT require between ASA to SERVER</P><P>Question: How to config IPSEC site-to-site VPN to establish connection between LAN A &amp; LAN B? &nbsp;</P><P>&nbsp;</P><P>Thanks!</P> Tue, 12 Mar 2019 05:38:11 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629417#M196134 Machi Ma 2019-03-12T05:38:11Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629418#M196135 <P>&nbsp;</P><P>I think below is a good guide</P><P>http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html</P><P>&nbsp;</P><P>In access list you need to include your Lan subnets</P> Fri, 13 Mar 2015 09:46:13 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629418#M196135 rakeshvelagala 2015-03-13T09:46:13Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629419#M196136 <P>Hi. It's not that easy to assist you with VPN config, because there are different levels of encryption, hashing and authentication which you must decide on what works best for your organization. What I can ell you is, in ASDM there is a very "easy to follow" <STRONG>site to site vpn wizard. </STRONG>If I was you I would give that a shot and come back if it doesn't work. Believe me.......... it's a wizard........ and it's not difficult. Just make sure you define your <STRONG>LAN subnets </STRONG>correctly on both ASAs (they will be opposite on each ASA) and your<STRONG> peer address&nbsp;</STRONG>(they will be opposite on each ASA).</P> Fri, 13 Mar 2015 17:33:03 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629419#M196136 Andre Neethling 2015-03-13T17:33:03Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629420#M196137 <P>Hi Machi,</P><P>&nbsp;</P><P>What is your both ASAs'&nbsp;IOS version?</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 15 Mar 2015 00:26:42 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629420#M196137 rizwanr74 2015-03-15T00:26:42Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629421#M196138 <P>Hello,</P><P>&nbsp;</P><P>That is 9.1(3)</P><P>Thanks!</P> Sun, 15 Mar 2015 03:09:59 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629421#M196138 Machi Ma 2015-03-15T03:09:59Z https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629422#M196139 <P><SPAN style="font-size:12px;">Here is one side configuration example.</SPAN></P><P><SPAN style="font-size:12px;">- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ikev1 policy 1<BR />hostname(config-ikev1-policy)# authentication pre-share<BR />hostname(config-ikev1-policy)# encryption 3des<BR />hostname(config-ikev1-policy)# hash sha<BR />hostname(config-ikev1-policy)# group 2<BR />hostname(config-ikev1-policy)# lifetime 43200</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ikev1 enable outside</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ikev2 policy 1<BR />hostname(config-ikev2-policy)# encryption 3des<BR />hostname(config-ikev2-policy)# group 2<BR />hostname(config-ikev12-policy)# prf sha<BR />hostname(config-ikev2-policy)# lifetime 43200</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ikev2 enable outside</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto ipsec ikev2 ipsec-proposal secure<BR />hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des<BR />hostname(config-ipsec-proposal)# protocol esp integrity sha-1</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# tunnel-group 221.222.223.224&nbsp;type ipsec-l2l<BR />hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes<BR />hostname(config-tunnel-ipsec)# ikev1 pre-shared-key YourPasswordGoesHere</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# crypto map abcmap 1 match address l2l_list<BR />hostname(config)# crypto map abcmap 1 set peer 10.10.4.108<BR />hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet<BR />hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure<BR />hostname(config)# crypto map abcmap interface outside</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# route outside&nbsp;150.150.0.0 255.255.0.0 xxx.xxx.xxx.xxx</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;">hostname(config)#&nbsp;object-group network og-local-lan<BR />hostname(config)# &nbsp;network-object 192.168.0.0 255.255.0.0</SPAN></P><P><BR /><SPAN style="font-size:12px;">hostname(config)# &nbsp;object-group network og-remote-lan<BR />hostname(config)# &nbsp;network-object 150.150.0.0 255.255.0.0</SPAN></P><P><BR /><SPAN style="font-size:12px;">hostname(config)#&nbsp;nat (inside,outside) source static og-local-lan og-local-lan destination static og-remote-lan og-remote-lan no-proxy-arp route-lookup</SPAN></P><P><SPAN style="font-size:12px;">hostname(config)# write memory</SPAN></P><P><SPAN style="font-size:12px;">- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;- - - - - - - - - - - -&nbsp;</SPAN></P><P><SPAN style="font-size:12px;">xxx.xxx.xxx.xxx = equal to default gateway address on your ASA is using, which is pointing ISP.</SPAN></P><P><SPAN style="font-size:12px;">This public IP:&nbsp;221.222.223.224, just an example but you use each other's ASA's public address in the place of tunnel-group address.</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;">For the other ASA configuration follows exactly the same and&nbsp;you need to reverse the internal lan. &nbsp;You use your lan subnet need access to other side's local subnet in reverse side.</SPAN></P><P>&nbsp;</P><P><SPAN style="font-size:12px;">access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0&nbsp;192.168.0.0 255.255.0.0</SPAN></P> Sun, 15 Mar 2015 14:10:37 GMT https://community.cisco.com/t5/network-security/ipsec-setup-where-lan-not-directly-connected/m-p/2629422#M196139 rizwanr74 2015-03-15T14:10:37Z