07-31-2017 08:21 AM - edited 03-12-2019 02:45 AM
Hi here is the problem.
Router1 SITE1--------- INTERNET ---------SITE2 ASA------Router2.
wanted to setup a VPN site to site vpn between the ROUTER1 and ROUTER2. however as there is a ASA between. is it possible. do not want to configure a VPN on ASA but wanted to configure a vpn on Router2.
router1
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 5
crypto isakmp key cisco12345 address 209.165.201.254
crypto ipsec transform-set VPN esp-aes esp-sha512-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 209.165.201.254
set transform-set VPN
match address 100
crypto map VPN
show access-list
Extended IP access list 100
20 permit udp any any eq non500-isakmp
30 permit udp any any eq isakmp
40 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
Router2
crypto isakmp policy 1
encr aes 256
hash sha512
authentication pre-share
group 5
crypto isakmp key cisco12345 address 209.165.200.1
crypto ipsec transform-set VPN esp-aes esp-sha512-hmac
mode tunnel
crypto map VPN 1 ipsec-isakmp
set peer 209.165.200.1
set transform-set VPN
match address 100
crypto map VPN
#show access-lists
Extended IP access list 100
10 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
20 permit udp any any eq non500-isakmp
30 permit udp any any eq isakmp
I gave a spare public ip to ROUTER2 what config do i have to make on firewall. what nat. policy nat please hlep
07-31-2017 09:05 AM
Hi,
You need to make ASA as a VPN
You need to allow UDP 500,4500 and ESP traffic on the ASA for the two VPN peers.
More info on this link:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/63881-ipsec-pix70-nat.html
Regards,
Aditya
Please rate helpful and mark correct answers
08-01-2017 08:22 AM
Hi the link is too old. i mean they running version 7. where at the moment 9.x. even the nat statement is different.
08-01-2017 10:29 AM
Hi Sherazrose,
See my comment above for sample configuration
08-01-2017 08:19 AM
Hi sherazrose,
You need to configure one to one NAT for routers public IP and allow traffic from WAN to LAN for these ports and protocols. Let me know the router private IP to help you with the configuration.
08-01-2017 08:20 AM
hi what will be the nat statment
nat (inside,outside) source static INTERNAL EXTERNAL
or
nat (inside,outside) static PUBLIC-IPADDRESS
08-01-2017 08:31 AM
Configuration will be like the following:-
object network ROUTER2
host <Private IP of router>
nat (inside,outside) static 209.165.201.254
!
object network ROUTER1
host 209.165.200.1
object-group service VPN-SERVICES udp
port-object eq isakmp
port-object eq 4500
!
access-list outside_access_in extended permit udp object ROUTER1 object ROUTER2 object-group VPN-SERVICES
access-list outside_access_in extended permit esp object ROUTER1 object ROUTER2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide