Here is one side

Machi Ma · ‎03-12-2015

Hello,

I have designing a IPSEC VPN connect but it looks not like general example. Following environment setup description with network diagram for reference. Could you please advise?

Environment Setup

- Form IPSEC VPN between two site via ASA, which ASA is routable facing to Internet
- SERVER default gateway is Internal L3 Switch
- L3 Switch default gateway is ASA
- NO NAT require between ASA to SERVER

Question: How to config IPSEC site-to-site VPN to establish connection between LAN A & LAN B?

Thanks!

rakeshvelagala · ‎03-13-2015

I think below is a good guide

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

In access list you need to include your Lan subnets

Andre Neethling · ‎03-13-2015

Hi. It's not that easy to assist you with VPN config, because there are different levels of encryption, hashing and authentication which you must decide on what works best for your organization. What I can ell you is, in ASDM there is a very "easy to follow" site to site vpn wizard. If I was you I would give that a shot and come back if it doesn't work. Believe me.......... it's a wizard........ and it's not difficult. Just make sure you define your LAN subnets correctly on both ASAs (they will be opposite on each ASA) and your peer address (they will be opposite on each ASA).

rizwanr74 · ‎03-14-2015

Hi Machi,

What is your both ASAs' IOS version?

Machi Ma · ‎03-14-2015

Hello,

That is 9.1(3)

Thanks!

rizwanr74 · ‎03-15-2015

Here is one side configuration example.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

hostname(config)# crypto ikev1 policy 1
hostname(config-ikev1-policy)# authentication pre-share
hostname(config-ikev1-policy)# encryption 3des
hostname(config-ikev1-policy)# hash sha
hostname(config-ikev1-policy)# group 2
hostname(config-ikev1-policy)# lifetime 43200

hostname(config)# crypto ikev1 enable outside

hostname(config)# crypto ikev2 policy 1
hostname(config-ikev2-policy)# encryption 3des
hostname(config-ikev2-policy)# group 2
hostname(config-ikev12-policy)# prf sha
hostname(config-ikev2-policy)# lifetime 43200

hostname(config)# crypto ikev2 enable outside

hostname(config)# crypto ipsec ikev1 transform-set FirstSet esp-3des esp-md5-hmac

hostname(config)# crypto ipsec ikev2 ipsec-proposal secure
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des
hostname(config-ipsec-proposal)# protocol esp integrity sha-1

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0

hostname(config)# tunnel-group 221.222.223.224 type ipsec-l2l
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-tunnel-ipsec)# ikev1 pre-shared-key YourPasswordGoesHere

hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet
hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure
hostname(config)# crypto map abcmap interface outside

hostname(config)# route outside 150.150.0.0 255.255.0.0 xxx.xxx.xxx.xxx

hostname(config)# object-group network og-local-lan
hostname(config)# network-object 192.168.0.0 255.255.0.0

hostname(config)# object-group network og-remote-lan
hostname(config)# network-object 150.150.0.0 255.255.0.0

hostname(config)# nat (inside,outside) source static og-local-lan og-local-lan destination static og-remote-lan og-remote-lan no-proxy-arp route-lookup

hostname(config)# write memory

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

xxx.xxx.xxx.xxx = equal to default gateway address on your ASA is using, which is pointing ISP.

This public IP: 221.222.223.224, just an example but you use each other's ASA's public address in the place of tunnel-group address.

For the other ASA configuration follows exactly the same and you need to reverse the internal lan. You use your lan subnet need access to other side's local subnet in reverse side.

access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0 192.168.0.0 255.255.0.0

IPSEC setup where LAN not directly connected