Local ASA:
access-list vpn_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.2
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA
crypto map vpn_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable outside
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 IPSec-attributes
pre-shared-key testkey
Remote ASA:
access-list vpn_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.1
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA
crypto map vpn_map interface outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
crypto isakmp enable outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key testkey
Show commands to verify:
show crypto isakmp sa
show crypto ipsec sa
0 comments:
Post a Comment