cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1911
Views
8
Helpful
9
Replies

Cisco 800 VPN config to new ASA5505

mtehonica
Level 5
Level 5

I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both.  I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA.  Specifically, can't figure out how to set the pre-shared key.  On the Cisco 800 it's:

crypto isakmp key <THE_KEY> address <REMOTE_OFFICE_IP>

That doesn't seem to work on the ASA.  Can anyone help out with this?  Here is my current config on the Cisco 800...

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key

<THE_KEY> address <REMOTE_OFFICE_IP>

!

!

crypto ipsec transform-set DUMAC3 esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map mymap 10 ipsec-isakmp

set peer 75.148.153.217

set security-association lifetime seconds 36000

set transform-set DUMAC3

match address 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

1 Accepted Solution

Accepted Solutions

in your crypto-maps, the "10" and "65535" are the sequence-numbers. A combined CM could look like that:

crypto map primaryisp_map 10 match address 101

crypto map primaryisp_map 10 set peer 99.119.80.165

crypto map primaryisp_map 10 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

View solution in original post

9 Replies 9

Thanks for that.  I think I'm making some progress.  Here is what I have so far...

crypto map houston 10 match address 101

crypto map houston 10 set peer 99.119.80.165

crypto ipsec ikev1 transform-set DUMAC3 esp-3des esp-md5-hmac

crypto map houston 10 set ikev1 transform-set DUMAC3

tunnel-group 99.119.80.165 type ipsec-l2l

tunnel-group 99.119.80.165 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

Is there anything else that I will need to do for this?  Add nat rules so the VPN traffic isn't NAT'd?  Apply the crypto map to an interface?

if your router doesn't IOS 15.2, then you don't need the IKEv2-config on the ASA.

Yes, the crypto map has to be applied to the interface and you need to exempt the vpn-traffic from translation with Identity NAT:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1102289

Thanks again.  One more question... I already have a crypto map on that interface for my RA ipsec VPN (Cisco VPN Client).  Can I also apply this one or do I need to edit the existing one?  If I need to edit it, what needs to be changed?

Here is my current crypto map:


crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

Only one crypto-map is allowed per interface. So everything has to go into one CM. Use lower sequence-number for your site-to-site tunnels and a high number (65535) for remote-access.

Could you explain a little further on that?  Not sure how I would use lower/higher seq numbers when I can only have 1 per interface....

in your crypto-maps, the "10" and "65535" are the sequence-numbers. A combined CM could look like that:

crypto map primaryisp_map 10 match address 101

crypto map primaryisp_map 10 set peer 99.119.80.165

crypto map primaryisp_map 10 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

Thanks for all the help!  That makes more sense now.  I'll be attempting to implement this tomorrow night.  Just want to make sure everything is lined up.  Here is my "final" config... anything you notice that should be added/changed (obviously it's tough to just look at it and know without testing).  Thanks again!

object network inside

subnet 192.168.1.0 255.255.255.0

!

object network houston-network

subnet 192.168.7.0 255.255.255.0

!

access-list syracuse-houston-acl extended permit ip object inside object houston-network

!

nat (inside,primaryisp) source static inside inside destination static houston-network houston-network

!

crypto ipsec ikev1 transform-set DUMAC3 esp-3des esp-md5-hmac

!

crypto map primaryisp_map 1 match address syracuse-houston-acl

crypto map primaryisp_map 1 set peer 99.119.80.165

crypto map primaryisp_map 1 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

!

crypto ikev1 enable primaryisp

!

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 36000

!

tunnel-group 99.119.80.165 type ipsec-l2l

tunnel-group 99.119.80.165 ipsec-attributes

ikev1 pre-shared-key *****

This partial config looks good for the S2S-VPN. Nowadays you perhaps should use better crypto (SHA, AES, DH5), but it could work anyway.