10-23-2018 03:15 AM - edited 02-21-2020 08:23 AM
can i have on this attached network picture how to configure vpn site to site from remote location to main headoffice location
in remote location i have
Firewall/router: Make/Model/OS |
Cisco ASA5516-X |
in HO location they have
Firewall/router: Make/Model/OS |
Fortigate 3951 |
have only one way connection from remote location to web server (main HO) (THE CONFIGURATION WILL ONLY ON MY SIDE ASA5516-X)
can i have the step for vpv- site to site example configurations
thanks check attached pic
10-23-2018 06:23 AM
1st you need static Public IP for both sites...i am guessing that is something you already have.
from the ASA side built the tunnels with a preshared key and Objects of what to reach what, add it to an access list and NAT it
you need to do the same on fortigate and Access lists must match exactly.
Config example between 2 ASA Lan to Lan
*******************
ASAVM-ABC
*******************
object network LH
subnet *********** 255.255.255.248
object-group network LH-Lan
network-object object obj-LH
access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-LH
crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ************
crypto map VPN 90 set ikev1 transform-set LH-Lan
crypto map VPN interface outside
crypto ipsec ikev1 transform-set LH-Lan esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600
nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static LH-Lan LH-Lan route-lookup
tunnel-group ************ type ipsec-l2l
tunnel-group *********** ipsec-attributes
ikev1 pre-shared-key ******
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
**************
LHASA-*****
**************
object network LAN_FOR_VPN
subnet **************
object network ProfitBricks
subnet 10.12.90.0 255.255.255.0
object-group network ProfitBricks_Lan
network-object object obj-ProfitBricks
access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-ProfitBricks
crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ***********
crypto map VPN 90 set ikev1 transform-set ProfitBricks_Lan
crypto map VPN interface outside
crypto ipsec ikev1 transform-set ProfitBricks_Lan esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600
nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static ProfitBricks_Lan ProfitBricks_Lan route-lookup
tunnel-group ******** type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev1 pre-shared-key *****
crypto ikev1 policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
10-24-2018 02:48 AM - edited 10-24-2018 02:49 AM
thanks alot for the explanation , can i asked you some thing
i already got public ip from isp vendor and its active , my router isp is nokia router , , so when i ping to this ip it should be reached and should has a connectivity ? am i correct ? because its not binging the public ip ? (this is before doing any configurations still )
so the problem from isp that service not active or i should configure something in my network by adding this public ip to wan interface ?
also another question : the main office side told me that tunnel already created and no need to do any configuration from your side just check if you can reach our resources or not , but i cant ?
10-24-2018 02:57 AM
10-24-2018 04:53 AM
thanks for your clarification , i just contact the isp and they said its your static ip is active , so i cant ping it ?
question is i should make any configurations on my network or the isp already added on its router wan interface ?
any how its active but i cant ping ? why ? i should configure static route next ip (static ip) so my network can reach the static ip ????
check im nw diagram attached
10-24-2018 06:01 AM
ok, step 1. If an IP is not assigned to an interface, it is NOT pingable. Meaning they might have given you a static IP of 85.21.5.32 255.255.255.252 (thats an example) which therefore first usable IP you assign it to your ASA and the next IP should be the default route (we are talking about leased lines, not PPPOE dsl)
So you have your ASA in WAN interface 85.21.5.33 255.255.255.252 and the default route the next ip.
So again....
I have an ASA at my home and want to connect it to Office network Tunnel Lan to Lan
1st contact ISP for static IP
Then I assign that IP to my WAN interface with default route the next hop (i am talking basic ccna here)
In the Inside interface your LAN you assign a Private (which you have to NAT if you want to get on the outside internet)
ip nat inside LAN
ip nat outside WAN
So unless you assign that IP its never going to be reachable.
10-25-2018 03:25 AM
so once i assign the static ip address and check the connectivity , i can check the connectivity from my side to main office sever as i told you they informed me that already vpn tunnel created with my side using static ip which already provided to them but i still didnt configure in my network ??
am i correct ?
can u give me an example of the configuration as per the attached network i sent to u
many thanks boss
10-25-2018 03:29 AM
can i ask u also about the static ip ?
the ip static must be assign on interface of isp router (nokia) which directly connnected to ASA (isp should do that as i dont have access to isp router) ?
and 2nd is an example of how to configure this static ip on asa or how to let my network has connectivity with this static ip
check attached
10-25-2018 03:45 AM
10-25-2018 04:09 AM
i sent u attached of my nw , its asa and nokia router for isp company connected directly to asa 5516-x (in my side)
fortigate is head office side not mine , and they already informed that vpn tunnel already created with my branch office and asked me to check the connectivity to them withou any vpn configurations in my side as they said , we will explor this later after my network has connectivity to my static ip which provided from isp company then i can ping the main office server to check
check attached pic
10-26-2018 02:57 AM
Hello,
It sounds like you need to configure it from scratch your ASA that is.
Do you know how to do that? It's not a simple task. Do you have a console cable?
10-26-2018 03:00 AM
10-27-2018 04:51 AM
im really appreciate your great help and support , my question is need to configure the static ip address on ASA have a connectivity between my network and this static ip as it already paid for the service and activated from isp company
i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st
ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said
because they told me already tunnel created and no need to configure something from ur side
so im need my network to be reachable with my static ip 1st
so how ?
also where technically should be assign this ip static ( is it on the isp router interface ) which directly connected to my asa or should i assigned this ip to my outside interface with directly connected to isp router ?
10-26-2018 03:01 AM
10-29-2018 01:33 AM
im really appreciate your great help and support , my question is need to configure the static ip address on ASA have a connectivity between my network and this static ip as it already paid for the service and activated from isp company
i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st
ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said
because they told me already tunnel created and no need to configure something from ur side
so im need my network to be reachable with my static ip 1st
so how ?
also where technically should be assign this ip static ( is it on the isp router interface ) which directly connected to my asa or should i assigned this ip to my outside interface with directly connected to isp router ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide