07-10-2012 12:30 AM
Hello,
I would like to find any documentation how to configure IPSEC VPN, but unsuccessfully.
At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink
Thanks.
07-10-2012 01:16 AM
Please let me know if my understanding wrong.... You want to create a IPSEC vpn connectivity between your branch office to a data centre.... in your office you have the lan connected to two WAN links say (Link 1 and Link 2) but in data centre you have only 1 WAN link in to the outside interface of the firewall. You want to make your IPSEC vpn between branch and DC for both the links from your brach office LAN.
07-10-2012 01:26 AM
Yes, that is right, I want if primary uplink in office will fail, ipsec to data center will work through backup link.
Thanks
07-10-2012 02:10 AM
Okay... great... what kind of IPSec VPN you are going to use.. Site to Site / Client to Site... get me the detailed info on these let me try to solution you on the same.
07-10-2012 02:12 AM
if you have any network diagram representing the same... please share that as well...
07-10-2012 03:38 AM
Hello,
I woud like to use Site to Site ipsec VPN
At this moment I don't have network diagram, but it looks like this:
---primary (ext 1.1.1.1/29) uplink---
Office --- internet --- Data center (ext 3.3.3.3/29, int 192.168.0.0/24)
---backup (ext 2.2.2.2/29) uplink---
Thanks
07-10-2012 04:43 AM
Hi Zigmunds,
The below configuration is just an example... you can try this out.... this should work as per my knowledge... pls work with this model and let me know if you get the results... hoping for a good result...
Site 1 with 2 Internet Links
=================================
Outbound Access-List
====================
access-list in-to-out extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list in-to-out extended permit
access-list in-to-out extended deny ip any any
!
access-group in-to-out in interface inside
!
access-list Outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list Outside_1_cryptomap2 extended permit ip 192.168.200.0 255.255.255.0 192.168.2.0 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map_link1 10 match address Outside_1_cryptomap
crypto map Outside_map_link1 10 set peer 3.3.3.3
crypto map Outside_map_link1 10 set transform-set ESP-3DES-SHA
crypto map Outside_map_link1 interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map_link2 20 match address Outside_1_cryptomap2
crypto map Outside_map_link2 20 set peer 3.3.3.3
crypto map Outside_map_link2 20 set transform-set ESP-3DES-SHA1
crypto map Outside_map_link2 interface Outside1
crypto isakmp enable Outside1
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key cisco
!
Data Centre
=============
access-list outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list outbound extended permit
access-list outbound extended deny ip any any
!
access-group outbound in interface inside
!
access-list Outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list Outside_1_cryptomap1 extended permit ip 192.168.2.0 255.255.255.0 192.168.200.0 255.255.255.0
!
global (outside) 1
global (outside) 1
nat (inside) 2 access-list Outside_1_cryptomap1
nat (inside) 1 access-list Outside_1_cryptomap
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 10 match address Outside_1_cryptomap
crypto map Outside_map 10 set peer 1.1.1.1
crypto map Outside_map 10 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key cisco
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 20 match address Outside_1_cryptomap1
crypto map Outside_map 20 set peer 1.1.1.1
crypto map Outside_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key cisco
!
07-10-2012 05:12 AM
Hello,
I found that in Datacenter side in VPN configuration I have to change only one line:
crypto map
Is it correct?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide