Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1200
Views
0
Helpful
1
Replies

Convert Site-to-Site VPN from PIX to ASA 8.2

Go to solution
jgeorge
Level 1
Level 1

‎06-01-2011 06:03 AM

I have been working on converting a config over from a PIX to a ASA 8.2 but I am running into some trouble with the site to site vpn. The PIX has both a client VPN and site to site. Since some of the configs for the site to site cross over the client VPN I'm getting confused. Any help would be apperciated.

Belows are excerpts of just the related VPN commands from the PIX.

access-list Remote_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0 any

access-list inside_outbound_nat0_acl permit ip any 192.168.0.160 255.255.255.240

access-list inside_outbound_nat0_acl permit ip host Zenoss_OS NOC 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host SilverBack NOC 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host enoss_Hardware NOC 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.160 255.255.255.240

access-list outside_cryptomap_20 permit ip host Zenoss_OS NOC 255.255.255.0

access-list outside_cryptomap_20 permit ip host SilverBack NOC 255.255.255.0

access-list outside_cryptomap_20 permit ip host Zenoss_Hardware NOC 255.255.255.0

ip local pool DHCP_Pool 192.168.0.161-192.168.0.174

nat (inside) 0 access-list inside_outbound_nat0_acl

sysopt connection permit-vpn

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 205.x.29.41

crypto map outside_map 20 set transform-set ESP-DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client authentication LOCAL

crypto map outside_map interface outside

isakmp enable outside

isakmp key KEY address 205.x.29.41 netmask 255.255.255.255 no-xauth no-config-mode

isakmp nat-traversal 180

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash sha

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup GHA_Remote address-pool DHCP_Pool

vpngroup GHA_Remote dns-server 192.168.0.11

vpngroup GHA_Remote wins-server 192.168.0.11

vpngroup GHA_Remote default-domain x.org

vpngroup GHA_Remote split-tunnel Remote_splitTunnelAcl

vpngroup GHA_Remote idle-time 1800

vpngroup GHA_Remote password KEY

I guess what I am really asking is if someone can convert the site-to-site version of this VPN config to ASA 8.2 so I can compare it to what I have. I need to have this so I can just drop it in place and work.

Also it doesn't seem that isakmp policy 40 is being used, correct?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kelvin Willacey
Level 4
Level 4

‎06-01-2011 01:42 PM

On your ASA in configuration mode just type vpnsetup ipsec-remote-access steps or vpnsetup site-to-site steps and it will list what is required or you can download the PIX to ASA migration tool.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Kelvin Willacey
Level 4
Level 4

‎06-01-2011 01:42 PM

On your ASA in configuration mode just type vpnsetup ipsec-remote-access steps or vpnsetup site-to-site steps and it will list what is required or you can download the PIX to ASA migration tool.

0 Helpful
Customers Also Viewed These Support Documents