Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
1
Replies

First VPN Connection

jfraasch
Level 3
Level 3

‎05-07-2013 07:06 AM

I have a need to configure a router to a Cisco ASA.  Now, somebody else owns the ASA so I don't need to know that side.  I have a Cisco 1921 Router with the K9 package that I need to build the VPN.

The config on the ASA is below.  There is only one tricky thing here and that is that my local addresses on my side need to be NAT'd before going across the tunnel:

   access-list inside_nat0_outbound line 26 extended permit ip 10.23.32.0 255.255.255.240 10.23.128.96 255.255.255.240

      access-list outside_16_cryptomap line 1 extended permit ip 10.23.32.0 255.255.255.240 10.23.128.96 255.255.255.240

!

     group-policy Cust-CPTM-ATO internal

      group-policy Cust-CPTM-ATO attributes

        vpn-filter value VPNfilter-Cust-CPTM-ATO

        vpn-tunnel-protocol ipsec

!

      tunnel-group 189.44.104.211 type ipsec-l2l

      tunnel-group 189.44.104.211 ipsec-attributes

        pre-shared-key **********

        isakmp keepalive threshold 10 retry 2

    tunnel-group 189.44.104.211 general-attributes

        default-group-policy Cust-CPTM-ATO

!

      crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

      crypto map outside_map 16 match address outside_16_cryptomap

      crypto map outside_map 16 set  pfs group5

      crypto map outside_map 16 set  peer  189.44.104.211

(this will be my IP address)

      crypto map outside_map 16 set  transform-set  ESP-AES-128-SHA ESP-3DES-SHA

!

access-list VPNfilter-Cust-CPTM-ATO extended permit tcp 10.23.128.96 255.255.255.240 eq ssh 10.23.32.0 255.255.255.240 gt 1024

access-list VPNfilter-Cust-CPTM-ATO extended permit tcp 10.23.128.96 255.255.255.240 eq telnet 10.23.32.0 255.255.255.240 gt 1024

access-list VPNfilter-Cust-CPTM-ATO extended permit tcp 10.23.128.96 255.255.255.240 eq 3389 10.23.32.0 255.255.255.240 gt 1024

access-list VPNfilter-Cust-CPTM-ATO extended permit tcp 10.23.128.96 255.255.255.240 eq https 10.23.32.0 255.255.255.240 gt 1024

access-list VPNfilter-Cust-CPTM-ATO extended permit icmp 10.23.128.96 255.255.255.240 10.23.32.0 255.255.255.240

I my side I have local e0 interface on my router 10.100.0.0/28.  I have about 10 hosts that will need to be allowed over this VPN.  They will need to be NAT'd to the 10.23.32.0/28 to go across.  One to one NAT's is preferable.

Any help anyone can provide here would be great. Doesn't Cisco have a GUI for their router interface yet that can build VPNs like this?
ames

J

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-07-2013 08:57 AM

Re the GUI, Cisco Configuration Professional does site-site VPNs and much more. Download and install the full PC-based version (cisco-config-pro-k9-pkg-2_7-en.zip) for free from here.

How to set up site-site VPN is covered in detail in Chapter 25 of the User Guide.

0 Helpful
Customers Also Viewed These Support Documents