Resolution
In order to configure a LAN-to-LAN tunnel between a Cisco IOS router and an Adaptive Security Appliance (ASA), these configurations are required on the ASA:
- Configure the crypto ipsec command in Phase 2.
- Configure the isakmp policy command.
- Configure the nat 0 command and the access-list command in order to bypass NATting.
- Configure the crypto-map command.
- Configure the tunnel-group DefaultL2LGroup command with group information.
Refer to this configuration example in order to configure the ASA:
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
isakmp enable outside
access-list 100 extended permit ip source_ip 255.255.255.0 dest_ip 255.255.255.0
nat (inside) 0 access-list 100
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map cisco 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic cisco
crypto map dyn-map interface outside
The router is configured for a normal LAN-to-LAN tunnel, because the router knows the destination IP address for the VPN tunnel.
Refer to the Branch Router configuration example in IPsec: Router-to-PIX Security Appliance 7.x and Later or ASA Configuration Example in order to configure the router for VPN connectivity to a PIX/ASA firewall.
Note: In this configuration, only the router or the internal network of the router is able to access the tunnel, because it knows the destination IP address, but the ASA does not.
Refer to the configuration example in Configuring IPSec LAN-to-LAN tunnel between the Cisco Pix Firewall and a NetScreen Firewall in order to configure IPSec LAN-to-LAN tunnel between PIX/ASA and Netscreen Firewall.