Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
0
Helpful
4
Replies

UC540 IPSec to ASA 5505

who
Level 1
Level 1

‎05-14-2013 11:35 AM - edited ‎03-21-2019 07:21 AM

Thanks for any advice since I am new in Cisco UC system.

Recently, I try implement Cisco UC in our office to replace Talk switch. I have been success build system and connect few test phone. And I try to build IPSec tunnel to remote office. And provide phone service to another 5 phone system from remote office as well. I have UC540 in HQ office and Cisco ASA 5505 in the remote. I prefer IPSec tunnel. Or, any suggestion are highly appriciated.

Wayne

Labels:
0 Helpful
4 Replies 4

paolo bevilacqua
Hall of Fame
Hall of Fame

‎05-14-2013 01:54 PM

You can search cisco.com for IOS to ASA IPsec example configurations.

0 Helpful

who
Level 1
Level 1
In response to paolo bevilacqua

‎05-14-2013 02:52 PM

Thanks for your reply. I found the difference on the Cisco Example use the ASA version 8.0. But, I have version 8.4.

In this case I use crypto ikev insteand of crypto isakmp. Should I post my configuration?

0 Helpful

who
Level 1
Level 1
In response to who

‎05-14-2013 03:53 PM

I try my best to follow the instruction. And my ASA has version 8.4. The most command does not work. Please see configuration below for ASA5505 and UC540. Thanks for any suggestion.

UC540:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 20

lifetime 1800

crypto isakmp key 1234567 address 174.142.105.50

crypto isakmp identity hostname

!

crypto isakmp client configuration group EZVPN_GROUP_1

key 1234567

dns 4.2.2.2

pool SDM_POOL_1

acl 105

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

   match identity group EZVPN_GROUP_1

   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set multisite esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

crypto map multisite 88 ipsec-isakmp

set peer 174.142.105.50

set transform-set multisite

match address 110

qos pre-classify

ASA5505:


ASA Version 8.4(3)
!
hostname jtfw-lex
enable password Yr4Jr0JzJxYTTQQu encrypted
passwd GCdiui.2NH7n52DU encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.29.88.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 174.142.105.50 255.255.255.252
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object service RDP
service tcp source eq 3389
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network jt-dc01
host 172.29.88.151
object network WAN_jt-dc01
host 10.8.8.3
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexinton office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
description Jollytech HQ network
object network obj_colo
subnet 172.29.168.0 255.255.255.0
description Jollytech colo network
object network obj_UC_10
subnet 172.29.10.0 255.255.255.0
object network obj_UC_9
subnet 172.29.9.0 255.255.255.0
object-group network DM_INLINE_NETWORK_1
network-object object obj_UC_10
network-object object obj_UC_9
object-group network DM_INLINE_NETWORK_2
network-object object obj_UC_10
network-object object obj_UC_9
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq netbios-ssn inactive
access-list inside_access_in extended deny tcp any eq netbios-ssn any inactive
access-list inside_access_in extended deny udp any eq 139 any inactive
access-list inside_access_in extended deny udp any any eq 139 inactive
access-list inside_access_in extended deny tcp any any eq 135 inactive
access-list inside_access_in extended deny tcp any eq 135 any inactive
access-list inside_access_in extended deny udp any eq 135 any inactive
access-list inside_access_in extended deny udp any any eq 135 inactive
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq smtp
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq pptp
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq www
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq https
access-list outside_access_in extended permit tcp any host 10.8.8.3 eq 3389
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list outside_cryptomap extended permit ip 172.29.88.0 255.255.255.0 object obj_HQ
access-list VPN_Tunnel_user standard permit 172.29.88.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 172.29.168.0 255.255.255.0
access-list VPN_Tunnel_user standard permit 192.168.88.0 255.255.255.0
access-list outside_cryptomap_1 extended permit ip object obj_lex object obj_colo
access-list outside_cryptomap_2 extended permit ip object obj_lex object-group DM_INLINE_NETWORK_2
pager lines 24
logging enable
logging asdm informational
logging host inside 172.29.88.30
mtu inside 1500
mtu outside 1500
ip local pool jolly_lex_DHCP 192.168.88.100-192.168.88.120 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static jt-dc01 WAN_jt-dc01 service RDP RDP
nat (inside,outside) source static jt-dc01 WAN_jt-dc01 service JT_WWW JT_WWW
nat (inside,outside) source static obj_lex obj_lex destination static obj_HQ obj_HQ route-lookup
nat (inside,outside) source static obj_lex obj_lex destination static obj_colo obj_colo route-lookup
nat (inside,outside) source static obj_lex obj_lex destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 74.142.105.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 172.29.88.0 255.255.255.0 inside
snmp-server host inside 172.29.88.30 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 173.164.111.140
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 198.167.239.218
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 173.164.111.139
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 172.29.88.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0

dhcpd address 172.29.88.50-172.29.88.100 inside
dhcpd dns 172.29.8.3 166.102.165.11 interface inside
dhcpd domain jollytech.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_173.164.111.140 internal
group-policy GroupPolicy_173.164.111.140 attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username who password JOYSoaqW4x32VHKB encrypted
tunnel-group 173.164.111.140 type ipsec-l2l
tunnel-group 173.164.111.140 general-attributes
default-group-policy GroupPolicy_173.164.111.140
tunnel-group 173.164.111.140 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group 198.167.239.218 type ipsec-l2l
tunnel-group 198.167.239.218 general-attributes
default-group-policy GroupPolicy_173.164.111.140
tunnel-group 198.167.239.218 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group 173.164.111.139 type ipsec-l2l
tunnel-group 173.164.111.139 general-attributes
default-group-policy GroupPolicy_173.164.111.140
tunnel-group 173.164.111.139 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
  inspect pptp
  inspect ftp
  inspect netbios
  inspect icmp
!
service-policy global_policy global
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cddc53660838b5debf9643d088c2affb
: end
no asdm history enable

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to who

‎05-15-2013 01:46 AM

You can read documentation about the changed ASA commands, or ask in security forum.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents