Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
315
Views
0
Helpful
3
Replies

VPN Between Cisco ASA 5505 and Cisco Router 881

batumibatumi
Level 1
Level 1

‎04-30-2015 05:18 AM - edited ‎03-05-2019 01:22 AM

Hi All,

 

I want to interconnect two office to each other but i have trouble: Please see below my configuration: What is missing to finalize the configuration properly?

 

Cisco ASA 5505.

Version 8.4(3)

 

HQ-ASA5505(config)# crypto ikev1 policy 888
HQ-ASA5505(config-ikev1-policy)# authentication pre-share
HQ-ASA5505(config-ikev1-policy)# encryption 3des
HQ-ASA5505(config-ikev1-policy)# hash md5
HQ-ASA5505(config-ikev1-policy)# lifetime 86400
HQ-ASA5505(config-ikev1-policy)# group 2

 

HQ-ASA5505(config)# tunnel-group 1.1.1.1 type ipsec-l2l
HQ-ASA5505(config)# tunnel-group 1.1.1.1 ipsec-attributes
HQ-ASA5505(config-tunnel-ipsec)# ikev1 pre-shared-key test

 

HQ-ASA5505(config)#object network HQ-Users
HQ-ASA5505(config-network-object)#subnet 10.48.0.0 255.255.255.0

HQ-ASA5505(config)# object-group network HQ.grp
HQ-ASA5505(config-network-object-group)# network-object object HQ-Users

 

HQ-ASA5505(config)#object network FSP_DATA
HQ-ASA5505(config-network-object)#subnet 10.48.12.0 255.255.255.0

HQ-ASA5505(config)#object-group network FSP.grp
HQ-ASA5505(config-network-object-group)#network-object object FSP_DATA


HQ-ASA5505(config)#access-list VPN_to_FSP extended permit ip object-group HQ.grp object-group FSP.grp

 

HQ-ASA5505(config)# crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac


HQ-ASA5505(config)# crypto map ouside_map 888 set ikev1 transform-set TS
HQ-ASA5505(config)# crypto map ouside_map 888 match address VPN_to_FSP
HQ-ASA5505(config)# crypto map ouside_map 888 set peer 1.1.1.1
HQ-ASA5505(config)# crypto map ouside_map 888 set pfs group2

HQ-ASA5505(config)# crypto ikev1 enable outside
HQ-ASA5505(config)# crypto map ouside_map interface outside

 

 

Router 881

Version 12.4

License Information for 'c880-data'
    License Level: advipservices   Type: Permanent
    Next reboot license Level: advipservices

 

LAB_ROuter(config)#object-group network HQ
LAB_ROuter(config-network-group)#10.48.0.0 255.255.255.0

LAB_ROuter(config)#object-group network FSP
LAB_ROuter(config-network-group)#10.48.12.0 255.255.255.0

ip access-list extended FSP_VPN
 permit ip object-group FSP object-group HQ


LAB_ROuter(config)#crypto isakmp policy 888
LAB_ROuter(config-isakmp)#encryption 3des
LAB_ROuter(config-isakmp)#authentication pre-share
LAB_ROuter(config-isakmp)#hash md5
LAB_ROuter(config-isakmp)#group 2
LAB_ROuter(config-isakmp)#lifetime 86400

 

LAB_ROuter(config)#crypto isakmp key test address 2.2.2.2
LAB_ROuter(config)#crypto ipsec transform-set TS esp-3des esp-md5-hmac

 

crypto map outside_map 888 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TS
 match address FSP_VPN

 

interface fast4 --> Outside Interface (where public IP address is assigned) 

crypto map outside_map

 

 

Thank you in advance for your prompt advice!

 

Labels:
0 Helpful
3 Replies 3

Hitesh Vinzoda
Level 4
Level 4

‎07-28-2015 10:20 PM

You would need no nat statement for VPN interesting traffic on ASA. Then generate interesting traffic from any one of the end. Assuming you already have routing between the VPN end points.

 

Hth

Hitesh

0 Helpful

AllertGen
Level 3
Level 3
In response to Hitesh Vinzoda

‎07-29-2015 05:04 AM

BTW not only at the ASA device but at the router too.

Best Regards.

0 Helpful

Tagir Temirgaliyev
Spotlight
Spotlight

‎07-29-2015 12:13 AM

from both sides

sh cryp isa sa

sh cryp ips sa

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card