Friday, December 4, 2009

Configuring a Site to Site VPN between two Cisco ASA Firewalls

Local ASA:
access-list vpn_cryptomap extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.2
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 IPSec-attributes
pre-shared-key testkey


Remote ASA:
access-list vpn_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto IPSec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map vpn_map 10 match address vpn_cryptomap
crypto map vpn_map 10 set peer 1.1.1.1
crypto map vpn_map 10 set transform-set ESP-AES-256-SHA

crypto map vpn_map interface outside

crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-256
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 IPSec-attributes
pre-shared-key testkey

Show commands to verify:

show crypto isakmp sa
show crypto ipsec sa

1 comment:

  1. Here's a cisco asa site to site vpn tutorial:

    http://www.certvideos.com/cisco-asa-site-to-site-vpn-configuration/

    ReplyDelete