Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Anyone got a ASA Site-to-Site VPN Guide

Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28685

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi peeps,

Its been ages since I have played around with the Pix/ASA, and at the weekend i am supposed to be setting up a new Site-to-Site VPN (there are none currently configured).

Does anyone have a guide on how this is done to refresh the old grey matter ? If not then not to worry i'm sure it'll come back to me when in front of the CLI

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28686

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Hey Smurf,

I uploaded a PDF file that describes nice way to make a site-to-site VPN.
Its called easy vpn. It's sort of a remote-connection VPN but then for site-to-site! Wich means it doesnt matter wich source address you use for your VPN and it allways works (this is very usefull if you get an address by DHCP from your provider or have a failover configuration).

I can also give you a few examples of regular vpn configurations so let me know if you want those instead.

PDF-file for easy vpn: www.megaupload.com/nl/?d=BNVVBRFG

Ron.
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28687

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Kewl, thanks for the prompt reply. I have just been reading something similar ;-)

If you have time to through a few example configs together that would be mint

Cheers

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28688

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
Sure no problem:

Here's a little example:


access-list VPN extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access-list for your traffic of interest (from-to)--

access-list nonat extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access list for your no-nat--

nat (inside) 0 access-list nonat

--the actual configuration of your no-nat--

crypto ipsec transform-set algemeen esp-aes esp-sha-hmac

--the transform-set for your vpn--

crypto map ExampleVPN 1 match address VPN

--to match your access-list for traffic of interest--

crypto map ExampleVPN 1 set peer IPHERE

--the remote end of your VPN--

crypto map ExampleVPN 1 set transform-set algemeen

--to select your transform-set--

crypto isakmp enable outside

--enables isakmp on the outside interface (or whatever nameif you gave to the interface)--

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

--isakmp policy for the VPN--

crypto isakmp nat-traversal 20

--this is needed to be able to send traffic if the remote end is behind NAT--

tunnel-group NAMEORIPHERE type ipsec-l2l

--here you configure wether the tunnel is site-to-site or remote access--

tunnel-group NAMEORIPHERE ipsec-attributes
pre-shared-key PSKHERE

--pre-shared-key to authenticate your VPN with the remote endpoint--




And for the other side just mirror the access-lists and change the remote peer addresses and your done!
(at least i hope i didnt forget anything just did this out of my head)


Ron
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.

Re: Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28689

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Cheers for that :wink:
crypto isakmp nat-traversal 20

The commands are now coming back to me but that ones new, thanks for the comment.

Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Anyone got a ASA Site-to-Site VPN Guide 7 years 8 months ago #28691

  • sose
  • sose's Avatar
  • Offline
  • Honored Member
  • Posts: 813
  • Thank you received: 4
  • Karma: 3
sorry for not contributing, I heard smurf is around this vicinity

smurf
we have raise alot of security issues lately but you werent contributing
sose
Network Engineer
analysethis.co/index.php/forum/index
The administrator has disabled public write access.
Time to create page: 0.085 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup