Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
848
Views
0
Helpful
5
Replies

IPSEC setup where LAN not directly connected

Machi Ma
Level 1
Level 1

‎03-12-2015 11:06 PM - edited ‎03-11-2019 10:38 PM

Hello,

 

I have designing a IPSEC VPN connect but it looks not like general example.   Following environment setup description with network diagram for reference.  Could you please advise?

 

Environment Setup

- Form IPSEC VPN between two site via ASA, which ASA is routable facing to Internet
- SERVER default gateway is Internal L3 Switch
- L3 Switch default gateway is ASA
- NO NAT require between ASA to SERVER

Question: How to config IPSEC site-to-site VPN to establish connection between LAN A & LAN B?  

 

Thanks!

Labels:
Preview file
66 KB
0 Helpful
5 Replies 5

rakeshvelagala
Level 3
Level 3

‎03-13-2015 02:46 AM

 

I think below is a good guide

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

 

In access list you need to include your Lan subnets

0 Helpful

Andre Neethling
Level 4
Level 4

‎03-13-2015 10:33 AM

Hi. It's not that easy to assist you with VPN config, because there are different levels of encryption, hashing and authentication which you must decide on what works best for your organization. What I can ell you is, in ASDM there is a very "easy to follow" site to site vpn wizard. If I was you I would give that a shot and come back if it doesn't work. Believe me.......... it's a wizard........ and it's not difficult. Just make sure you define your LAN subnets correctly on both ASAs (they will be opposite on each ASA) and your peer address (they will be opposite on each ASA).

0 Helpful

rizwanr74
Level 7
Level 7

‎03-14-2015 05:26 PM

Hi Machi,

 

What is your both ASAs' IOS version?

 

 

0 Helpful

Machi Ma
Level 1
Level 1
In response to rizwanr74

‎03-14-2015 08:09 PM

Hello,

 

That is 9.1(3)

Thanks!

0 Helpful

rizwanr74
Level 7
Level 7
In response to Machi Ma

‎03-15-2015 07:10 AM

Here is one side configuration example.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200

hostname(config)# crypto ikev1 enable outside

hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200

hostname(config)# crypto ikev2 enable outside

hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des
hostname(config-ipsec-proposal)# protocol esp integrity sha-1

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0

hostname(config)# tunnel-group 221.222.223.224 type ipsec-l2l
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key YourPasswordGoesHere

hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet
hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure
hostname(config)# crypto map abcmap interface outside

hostname(config)# route outside 150.150.0.0 255.255.0.0 xxx.xxx.xxx.xxx

 

hostname(config)# object-group network og-local-lan
hostname(config)#  network-object 192.168.0.0 255.255.0.0


hostname(config)#  object-group network og-remote-lan
hostname(config)#  network-object 150.150.0.0 255.255.0.0


hostname(config)# nat (inside,outside) source static og-local-lan og-local-lan destination static og-remote-lan og-remote-lan no-proxy-arp route-lookup

hostname(config)# write memory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

xxx.xxx.xxx.xxx = equal to default gateway address on your ASA is using, which is pointing ISP.

This public IP: 221.222.223.224, just an example but you use each other's ASA's public address in the place of tunnel-group address.

 

For the other ASA configuration follows exactly the same and you need to reverse the internal lan.  You use your lan subnet need access to other side's local subnet in reverse side.

 

access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0 192.168.0.0 255.255.0.0

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card