cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2811
Views
40
Helpful
21
Replies

vpn site to site between FIREWALLS

amralrazzaz
Level 5
Level 5

can i have on this attached network picture how to configure vpn site to site from remote location to main headoffice location 

in remote location i have 

Firewall/router: Make/Model/OS

Cisco ASA5516-X

 

in HO location  they have

Firewall/router: Make/Model/OS

Fortigate 3951

 

have only one way connection from remote location to web server (main HO) (THE CONFIGURATION WILL ONLY ON MY SIDE ASA5516-X)

 

can i have the step for vpv- site to site example configurations

 

thanks  check attached pic

amr alrazzaz
21 Replies 21

Fotiosmark
Level 1
Level 1

1st you need static Public IP for both  sites...i am guessing that is something you already have.

from the ASA side built the tunnels with a preshared key and Objects of what to reach what, add it to an access list and NAT it

 

you need to do the same on fortigate and Access lists must match exactly.

Config example between 2 ASA Lan to Lan

 

*******************
ASAVM-ABC
*******************

object network LH
 subnet *********** 255.255.255.248
 
 object-group network LH-Lan
 network-object object obj-LH
 
   access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-LH
 
 
 
 
crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ************
crypto map VPN 90 set ikev1 transform-set LH-Lan
crypto map VPN interface outside


crypto ipsec ikev1 transform-set LH-Lan  esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600
 
 nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static LH-Lan LH-Lan route-lookup
 
tunnel-group ************ type ipsec-l2l
tunnel-group *********** ipsec-attributes
ikev1 pre-shared-key ******
 
 
crypto ikev1 policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
 
 
 
 
 **************
 LHASA-*****
 **************
 
 object network LAN_FOR_VPN
 subnet **************
 
 object network ProfitBricks  
 subnet 10.12.90.0 255.255.255.0
 
 object-group network ProfitBricks_Lan
 network-object object obj-ProfitBricks
 
    access-list Remote-acl7 extended permit ip object LAN_FOR_VPN object obj-ProfitBricks
 
 
crypto map VPN 90 match address Remote-acl7
crypto map VPN 90 set pfs
crypto map VPN 90 set peer ***********
crypto map VPN 90 set ikev1 transform-set ProfitBricks_Lan
crypto map VPN interface outside
 
crypto ipsec ikev1 transform-set ProfitBricks_Lan esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VDC_VPN_MAP 90 set security-association lifetime seconds 3600


nat (inside,outside) source static LAN_FOR_VPN_SUBNET LAN_FOR_VPN_SUBNET destination static ProfitBricks_Lan ProfitBricks_Lan route-lookup


tunnel-group ******** type ipsec-l2l
tunnel-group ********* ipsec-attributes
ikev1 pre-shared-key *****

crypto ikev1 policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800

thanks alot for the explanation  ,  can i asked you some thing

 

i already got public ip from isp vendor and its active , my router isp is nokia router , , so when i ping to this ip it should be reached and should has a connectivity ? am i correct ? because its not binging the public ip ? (this is before doing any configurations still )

 

so the problem from isp that service not active or i should configure something in my network by adding this public ip to wan interface ?

 

also another question :  the main office side told me that tunnel already created and no need to do any configuration from your side just check if you can reach our resources or not , but i cant ?

amr alrazzaz

if they wish to do vpn site to site, both equipment needs configuration. if they wanted vpn dial up like cisco anyconnect, you only need username and password and their public ip.

did the provied gave a a leased public ip? Static? Vpns site to site can be build only with Static IP which you assign at your equipment Wan interface, and the default route (next hop)

thanks for your clarification , i just contact the isp and they said its your static ip is active , so i cant ping it ?

 

question is i should make any configurations on my network or the isp already added on its router wan interface ?

 

any how its active but i cant ping ? why ?  i should configure static route next ip (static ip) so my network can reach the static ip ????

 

check im nw diagram  attached

amr alrazzaz

ok, step 1. If an IP is not assigned to an interface, it is NOT pingable. Meaning they might have given you a static IP of 85.21.5.32 255.255.255.252 (thats an example) which therefore first usable IP you assign it to your ASA and the next IP should be the default route (we are talking about leased lines, not PPPOE dsl)

So you have your ASA in WAN interface 85.21.5.33 255.255.255.252 and the default route the next ip.

 

So again....

I have an ASA at my home and want to connect it to Office network Tunnel Lan to Lan

1st contact ISP for static IP

Then I assign that IP to my WAN interface with default route the next hop (i am talking basic ccna here)

 

In the Inside interface your LAN you assign a Private (which you have to NAT if you want to get on the outside internet)

ip nat inside LAN

ip nat outside WAN

 

So unless you assign that IP its never going to be reachable.

so once i assign the static ip address and check the connectivity , i can check the connectivity from my side to main office sever as i told you they informed me that already vpn tunnel created with my side using static ip which already provided to them but i still didnt configure in my network  ??

 

 

am i correct ?

 

can u give me an example of the configuration as per the attached network i sent to u 

 

 

many thanks boss

 

 

amr alrazzaz

can i ask u also about the static ip ?

 

the ip static must be assign on interface of isp router (nokia) which directly connnected to ASA (isp should do that as i dont have access to isp router) ?

 

and 2nd is an example of how to configure this static ip on asa or how to let my network has connectivity with this static ip 

 

check attached

amr alrazzaz

which devices do you have access to and can configure? the ASA is on your side or the fortigate?

i sent u attached of my nw , its asa and nokia router for isp company  connected directly to asa 5516-x (in my side)

 

 

fortigate is head office side not mine , and they already informed that vpn tunnel already created with my branch office and asked me to check the connectivity to them withou any vpn configurations in my side as they said , we will explor this later after my network has connectivity to my static ip which provided from isp company then i can ping the main office server to check 

 

check attached pic

 

amr alrazzaz

Hello,

 

It sounds like you need to configure it from scratch your ASA that is.

Do you know how to do that? It's not a simple task. Do you have a console cable?

 

Also, if we are talking about VPN tunneling, that means that they need Access lists, Nating, Preshared Key, Static IP from the tunneling, Crypto maps etc etc....So you won't have access to the HQ unless somehow you get into HQ network with VPN - Dialed or Lan2Lan -

If you want to discuss it more through Skype i am fotismark1

im really appreciate your great help and support , my question is need to configure the static ip address on ASA have a connectivity between my network and this static ip as it already paid for the service and activated from isp company 

 

i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st 

 

ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said

because they told me already tunnel created and no need to configure something from ur side 

 

so im need my network to be reachable with my static ip 1st

 

so how ? 

 

also where technically should be assign this ip static ( is it on the isp router interface ) which directly connected to my asa or should i assigned this ip to my outside interface with directly connected to isp router ?

amr alrazzaz

Also I don't really understand why you went with this expensive solution. A Dialed up VPN to access the office resources would do with Forticlient :)

im really appreciate your great help and support , my question is need to configure the static ip address on ASA have a connectivity between my network and this static ip as it already paid for the service and activated from isp company 

 

i tried to ping this ip but no hope unless configure it , can u give me an example for configure that 1st 

 

ill check the connectivity with HO server after that if not that mean we need to configure the asa from scratch as u said

because they told me already tunnel created and no need to configure something from ur side 

 

so im need my network to be reachable with my static ip 1st

 

so how ? 

 

also where technically should be assign this ip static ( is it on the isp router interface ) which directly connected to my asa or should i assigned this ip to my outside interface with directly connected to isp router ?

amr alrazzaz
amr alrazzaz
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: