Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3984
Views
0
Helpful
3
Replies

cisco ASA site to site vpn configuration

Go to solution
vinoth13.c
Level 1
Level 1

‎11-16-2017 08:56 AM - edited ‎03-12-2019 04:44 AM

I am going to configure site to site vpn in my lab ..

i am using two ASA

what are the parameters to match betwween the peers

phase 1 configuration .....
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
whether this should be match on other peer ?

key should be match .... this is one i have confirmed .

tunnel group name or ip should be match or different between the peers..

whether this  below  parameters should be match between peers ?

access-list name ?

transform set name ?

crypto map name ?

 

can someone give the answer ..

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4

‎11-16-2017 09:12 AM

Hello @vinoth13.c

 

You need to match Phase 1 and Phase 2 parameters in order to be able to build the VPN tunnel, you can check this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

 

Now, your configuration on Phase 1 should match the other end and it doesn´t if the numbers are different.

 

Also, the ACLs - transform-set - crypto map names shoudn´t match, you can have different names on both sides and this should work but if you wanna for documentation purposes or template configuration you can use the same on each device. 

 

HTH

Gio

View solution in original post

0 Helpful
3 Replies 3

Go to solution
GioGonza
Level 4
Level 4

‎11-16-2017 09:12 AM

Hello @vinoth13.c

 

You need to match Phase 1 and Phase 2 parameters in order to be able to build the VPN tunnel, you can check this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

 

Now, your configuration on Phase 1 should match the other end and it doesn´t if the numbers are different.

 

Also, the ACLs - transform-set - crypto map names shoudn´t match, you can have different names on both sides and this should work but if you wanna for documentation purposes or template configuration you can use the same on each device. 

 

HTH

Gio

0 Helpful

Go to solution
vinoth13.c
Level 1
Level 1
In response to GioGonza

‎11-16-2017 09:29 AM

thanks for the quick reply .

 

i have verified the document , in that tunnel-group are configuring as same ip both the peers ?

can you clarify that ..

 

 

thanks

 

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to vinoth13.c

‎11-16-2017 09:35 AM

Hello @vinoth13.c

 

Yes, the same IP you used on the crypto map will server as the name on the tunnel-group configuration, if you want to use names you need to change the command "crypto isakmp identity auto"(default) to "crypto isakmp identity hostname/ike-id" but as this is a global command it will affect the rest of the VPN tunnels.

 

I would suggest to use the IP address instead of names. 

 

HTH

Gio

0 Helpful
Customers Also Viewed These Support Documents