Hi Kevin,

Here is a sample configuration output for ASA version 8.4.

crypto ikev1 enable outside

crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 pre-shared-key cisco
 !Note the IKEv1 keyword at the beginning of the pre-shared-key command.

object network 10.2.2.0_24 
 subnet 10.2.2.0 255.255.255.0 
object network 10.1.10_24 
 subnet 10.1.1.0 255.255.255.0

access-list 100 extended permit ip object 10.2.2.0_24 object 10.1.1.0_24

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac

crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer 192.168.254.1
crypto map outside_map 20 set ikev1 transform-set myset
crypto map outside_map 20 set pfs
crypto map outside_map interface outside

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static
 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

Below is a link on the same, however it from the older versions (before 8.2). But this will help you get the concept and also has some troubleshooting methods. Cisco had to introduce "crypto ikev1 enable" command instead of continuing with "crypto isakmp enable" command since we had to add support for "ikev2". So this change was done in version 8.4(1) onwards.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Hi Bratin, This is really helpful and I sppreciate you taking the time however I have one more query, for some reason I cannot get the nat command to work.

I am running os version 8.4 on Packet Tracer 6.2.0 but I get unrecognised command evertime I run it.

The command above that deals with NAT ...

nat (inside,outside) 1 source static 10.2.2.0_24 10.2.2.0_24 destination static 10.1.1.0_24 10.1.1.0_24 no-proxy-arp route-lookup

Does this have to be run as a subcommand in the network object piece and if so how do I do it? Which network object do I run it under?

ciscoasa(config)#

ciscoasa(config)#nat ?

% Unrecognized command

ciscoasa(config)#nat

^

% Invalid input detected at '^' marker.

ciscoasa(config)#

Thank you for all your help so far. Kevin

Hi Kevin,

That was a sample example with an ASA having 2 interfaces - inside and outside.

The NAT statement is run from global configuration mode, i.e., ciscoasa(config)#.

I did not find the "NAT configuration" option in the packet tracer version 6.1.0.0120 either, however in a lab scenario, we usually don't need one as we are using non-routable addresses to practice. So, you can skip the NAT config line which was put there.

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Answering both queries.

Yes the configuration posted by you looks fine and you need to have a similar configuration on the peer device (router or asa) with a mirror image ACL. Meaning that on the peer unit the ACL format would look like "SITE-B to SITE-A".

The command "show crypto ipsec sa" can be run which includes parameters such as encaps/decaps - if both are increasing in sync it means that the tunnel is 'good'. If both don't have a value and you are trying to send traffic, it means that the traffic is unable to go over the VPN tunnel. If either of the encaps/ decaps has counter increasing it means that either encryption/ decryption (but not both) is working.

In the configuration, the section that has crypto ikev1 policy (one or more) is usually the phase I configuration, while the section that has crypto map transform-set, etc., is usually the phase II configuration.

Though from a very old 8.0.x, the following link has the segregation.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/100678-l2l-asa5505-config.html

Packet Tracer recent versions has 8.4 as the minimum version so don't compare much with 8.0 version.

Please mark this as answered if the information provided help resolve the query. Please open a new thread for any new query.

regards,

Bratin Saha

Cisco TAC

Bratin,

Do I need to have any static routes or does the tunnel just take care of routing?

Kevin

Hey Bratin,

Does this look OK...

ciscoasa#show running-config

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 185.51.105.2 255.255.255.252

!

object network SITE-A

subnet 192.168.1.0 255.255.255.0

object network SITE-B

subnet 192.168.2.0 255.255.255.0

object network TEST

!

route outside 0.0.0.0 0.0.0.0 185.51.105.1 1

!

access-list VPN-TRAFFIC extended permit icmp object SITE-A object SITE-B

!

!

telnet timeout 5

ssh timeout 5

!

dhcpd address 192.168.1.5-192.168.1.35 inside

dhcpd enable inside

!

dhcpd auto_config outside

!

!

crypto ipsec ikev1 transform-set MYTRANSFORMSET esp-aes esp-sha-hmac

!

crypto map outside_map 20 match address VPN-TRAFFIC

crypto map outside_map 20 set peer 185.51.106.2

crypto map outside_map 20 set ikev1 transform-set MYTRANSFORMSET

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 185.51.105.2 type ipsec-l2l

tunnel-group 185.51.105.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

ciscoasa#

Hi,

Its dont works for me.

I try everything and same result:

MM_NO_STATE

F1:

interface Vlan1

nameif outside

security-level 0

ip address 172.16.1.2 255.255.255.252

!

interface Vlan2

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

object network F1

subnet 10.0.1.0 255.255.255.0

object network F2

subnet 10.0.2.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

!

access-list LAN_Traffic extended permit icmp object F1 object F2

access-list LAN_Traffic extended permit tcp object F1 object F2 eq www

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

!

crypto map L2L 1 match address LAN_Traffic

crypto map L2L 1 set peer 172.16.2.2

crypto map L2L 1 set ikev1 transform-set L2L

crypto map L2L interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 172.16.2.2 type ipsec-l2l

tunnel-group 172.16.2.2 ipsec-attributes

ikev1 pre-shared-key ThisIsAWeakKey

F2:

interface Vlan1

nameif outside

security-level 0

ip address 172.16.2.2 255.255.255.252

!

interface Vlan2

nameif inside

security-level 100

ip address 10.0.2.1 255.255.255.0

!

object network F1

subnet 10.0.1.0 255.255.255.0

object network F2

subnet 10.0.2.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 172.16.2.1 1

!

access-list LAN_Traffic extended permit icmp object F2 object F1

access-list LAN_Traffic extended permit tcp object F2 object F1 eq www

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

!

crypto map L2L 1 match address LAN_Traffic

crypto map L2L 1 set peer 172.16.1.2

crypto map L2L 1 set ikev1 transform-set L2L

crypto map L2L interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

!

tunnel-group 172.16.1.2 type ipsec-l2l

tunnel-group 172.16.1.2 ipsec-attributes

ikev1 pre-shared-key ThisIsAWeakKey