Anyone got a ASA Site-to-Site VPN Guide

sorry for not contributing, I heard smurf is around this vicinity

smurf
we have raise alot of security issues lately but you werent contributing

Alright sose, I have started a new job around a year ago and unfortunately we dont cover Cisco. Also, its a 12 hour day for me with the commute to and from work. This is why i dont get chance to frequent the forum much these days

2009 i am trying to pop in now and again to try and get my hand in again, its going to be very hard for me though as i plan to start an Open University Masters in Business Administration (MBA) which I have heard is very hard work.

Take care

Wayne

Sorry, I missed this thread - Smurf, are we talking about an ASA or PIX Site-to-Site VPN ?

Hi Chris,

Its an ASA Site-to-Site VPN. We are replacing the VPN Concentrator 3020 with an ASA. The Concentrator is currently setup to Cisco ADSL Routers for the VPN connectivity. Not really done much with ASA's as my training was on Pix around 5 years ago and with the addition of the EasyVPN stuff in the ASA i beleive its slightly different in its config for Site-to-Site.

Was just after a quick one two (dont really need to be too detailed as i have the understanding already) on setting it up

Cheers

Wayne

Hi Smurf,

You might wana have a look here:

www.cisco.com/en/US/docs/security/asa/as...k/guide/sitesite.pdf

www.routeralley.com/ra/docs/ipsec_site2site_pix_asa.pdf

Cheers S0lo, hadn't come across the last link so thank

Tried to get it working today and it wouldn't even establish Phase 1, Doh.......Will post portions of the config probably tomorrow, for ya to take a look through. Not found much references to version 8 and there doesn't seem to be any books either so its going to be painful to get this thing up and running, especially since i only have Saturday Mornings to work on it and its a live system so need to leave it in a working state.

TTFN

Right peeps, this is the relevent configs, if anyone spots anything obvious then please let me know

ASA (Version

NoNAT Access-List

[code:1]access-list acl_nat extended permit ip any 172.29.1.0 255.255.255.0[/code:1]

Interesting Traffic

[code:1]access-list ip_29_1 extended permit ip any 172.29.1.0 255.255.255.0[/code:1]

Apply NoNAT

[code:1]nat (inside) 0 access-list acl_nat[/code:1]

Allowing all traffic outbound

[code:1]access-group Allow-ALL in interface inside[/code:1]

Crypto IPsec Commands

[code:1]crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-aes128-md5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-aes128-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-aes192-md5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set esp-aes192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set esp-aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set mytrans esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside[/code:1]

My Crypto Map

[code:1]crypto map vpnsmap 130 match address ip_29_1
crypto map vpnsmap 130 set peer w.x.y.z
crypto map vpnsmap 130 set transform-set mytrans
crypto map vpnsmap 130 set nat-t-disable
crypto map vpnsmap interface outside[/code:1]

Crypto isakmp commands

[code:1]
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000[/code:1]

Tunnel Group

[code:1]
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key *[/code:1]

The default tunnel groups are still there along with webvpn settings.

Router

crypto isakmp command


[code:1]crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address a.b.c.d[/code:1]

Crypto Ipsec commands

[code:1]crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec df-bit clear[/code:1]

Crypto Map Commands

[code:1]crypto map VPN 10 ipsec-isakmp
description internal lan address
set peer a.b.c.d
set transform-set strong
match address VPN-INT-TRAF[/code:1]

Interesting Traffic

[code:1]
ip access-list extended VPN-INT-TRAF
remark VPN interesting traffic
permit ip 172.29.1.0 0.0.0.255 any[/code:1]



This router is working ok to a VPN Concentrator and we just changed the Public IP Addresses.

Anyone spot anything missing ?

Regards

Wayne