Anyone got a ASA Site-to-Site VPN Guide

Hi peeps,

Its been ages since I have played around with the Pix/ASA, and at the weekend i am supposed to be setting up a new Site-to-Site VPN (there are none currently configured).

Does anyone have a guide on how this is done to refresh the old grey matter ? If not then not to worry i'm sure it'll come back to me when in front of the CLI

Cheers

Wayne

Hey Smurf,

I uploaded a PDF file that describes nice way to make a site-to-site VPN.
Its called easy vpn. It's sort of a remote-connection VPN but then for site-to-site! Wich means it doesnt matter wich source address you use for your VPN and it allways works (this is very usefull if you get an address by DHCP from your provider or have a failover configuration).

I can also give you a few examples of regular vpn configurations so let me know if you want those instead.

PDF-file for easy vpn: www.megaupload.com/nl/?d=BNVVBRFG

Ron.

Kewl, thanks for the prompt reply. I have just been reading something similar

If you have time to through a few example configs together that would be mint

Cheers

Wayne

Sure no problem:

Here's a little example:


access-list VPN extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access-list for your traffic of interest (from-to)--

access-list nonat extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access list for your no-nat--

nat (inside) 0 access-list nonat

--the actual configuration of your no-nat--

crypto ipsec transform-set algemeen esp-aes esp-sha-hmac

--the transform-set for your vpn--

crypto map ExampleVPN 1 match address VPN

--to match your access-list for traffic of interest--

crypto map ExampleVPN 1 set peer IPHERE

--the remote end of your VPN--

crypto map ExampleVPN 1 set transform-set algemeen

--to select your transform-set--

crypto isakmp enable outside

--enables isakmp on the outside interface (or whatever nameif you gave to the interface)--

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

--isakmp policy for the VPN--

crypto isakmp nat-traversal 20

--this is needed to be able to send traffic if the remote end is behind NAT--

tunnel-group NAMEORIPHERE type ipsec-l2l

--here you configure wether the tunnel is site-to-site or remote access--

tunnel-group NAMEORIPHERE ipsec-attributes
pre-shared-key PSKHERE

--pre-shared-key to authenticate your VPN with the remote endpoint--




And for the other side just mirror the access-lists and change the remote peer addresses and your done!
(at least i hope i didnt forget anything just did this out of my head)


Ron

Cheers for that

crypto isakmp nat-traversal 20

The commands are now coming back to me but that ones new, thanks for the comment.

Wayne

sorry for not contributing, I heard smurf is around this vicinity

smurf
we have raise alot of security issues lately but you werent contributing