05-05-2014 06:45 AM - edited 02-21-2020 07:38 PM
Dear Friends,
I need to creat a Site-to-Site IPSec VPN between ASA and Microtic firewall. Microtic Firewall has dynamic IP. Please can any one provide me a good guide to configure at ASA side (CLI). A Video will add more value.
05-05-2014 10:10 AM
this is a very good guide using ASDM.
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/configuration-professional/112153-ccp-vpn-asa-router-config-00.html
and Static to dynamic
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/81883-ipsec-iosrtr-dyn-pix-nat.html
08-28-2014 01:23 AM
Hi,
Here is the CLI Config example for Dynamic VPN peer using ASA.
ciscoasa(config)#show run : Saved : ASA Version 8.0(3) ! hostname ciscoasa enable password 8Ry2YjIyt7RRXU24 encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 209.165.201.2 255.255.255.224 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive !--- Output suppressed access-list nonat extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 no pager mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-613.bin no asdm history enable arp timeout 14400 ! !--- Define the nat-translation for Internet users global (outside) 1 interface nat (inside) 1 192.168.100.0 255.255.255.0 ! ! !--- Define the nat-exemption policy for VPN traffic nat (inside) 0 access-list nonat ! route outside 0.0.0.0 0.0.0.0 209.165.201.1 1 ! timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart ! !--- Configure the IPsec transform-set crypto ipsec transform-set myset esp-des esp-md5-hmac ! ! !--- Configure the dynamic crypto map crypto dynamic-map mymap 1 set transform-set myset crypto dynamic-map mymap 1 set reverse-route crypto map dyn-map 10 IPSec-isakmp dynamic mymap crypto map dyn-map interface outside ! !--- Configure the phase I ISAKMP policy crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400 ! ! !--- Configure the default L2L tunnel group parameters tunnel-group DefaultL2LGroup IPSec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e : end ciscoasa(config)#
You can follow this to configure your asa as said in the above example config.
Refer the below link for more detail.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide