Skip to main content

Anyone got a ASA Site-to-Site VPN Guide

More
15 years 10 months ago #28685 by Smurf
Hi peeps,

Its been ages since I have played around with the Pix/ASA, and at the weekend i am supposed to be setting up a new Site-to-Site VPN (there are none currently configured).

Does anyone have a guide on how this is done to refresh the old grey matter ? If not then not to worry i'm sure it'll come back to me when in front of the CLI

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28686 by r0nni3
Hey Smurf,

I uploaded a PDF file that describes nice way to make a site-to-site VPN.
Its called easy vpn. It's sort of a remote-connection VPN but then for site-to-site! Wich means it doesnt matter wich source address you use for your VPN and it allways works (this is very usefull if you get an address by DHCP from your provider or have a failover configuration).

I can also give you a few examples of regular vpn configurations so let me know if you want those instead.

PDF-file for easy vpn: www.megaupload.com/nl/?d=BNVVBRFG

Ron.

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
15 years 10 months ago #28687 by Smurf
Kewl, thanks for the prompt reply. I have just been reading something similar ;-)

If you have time to through a few example configs together that would be mint

Cheers

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28688 by r0nni3
Sure no problem:

Here's a little example:


access-list VPN extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access-list for your traffic of interest (from-to)--

access-list nonat extended permit ip 192.168.X.0 255.255.255.0 192.168.X.0 255.255.255.0

--access list for your no-nat--

nat (inside) 0 access-list nonat

--the actual configuration of your no-nat--

crypto ipsec transform-set algemeen esp-aes esp-sha-hmac

--the transform-set for your vpn--

crypto map ExampleVPN 1 match address VPN

--to match your access-list for traffic of interest--

crypto map ExampleVPN 1 set peer IPHERE

--the remote end of your VPN--

crypto map ExampleVPN 1 set transform-set algemeen

--to select your transform-set--

crypto isakmp enable outside

--enables isakmp on the outside interface (or whatever nameif you gave to the interface)--

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

--isakmp policy for the VPN--

crypto isakmp nat-traversal 20

--this is needed to be able to send traffic if the remote end is behind NAT--

tunnel-group NAMEORIPHERE type ipsec-l2l

--here you configure wether the tunnel is site-to-site or remote access--

tunnel-group NAMEORIPHERE ipsec-attributes
pre-shared-key PSKHERE

--pre-shared-key to authenticate your VPN with the remote endpoint--




And for the other side just mirror the access-lists and change the remote peer addresses and your done!
(at least i hope i didnt forget anything just did this out of my head)


Ron

Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
More
15 years 10 months ago #28689 by Smurf
Cheers for that :wink:

crypto isakmp nat-traversal 20


The commands are now coming back to me but that ones new, thanks for the comment.

Wayne

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28691 by sose
sorry for not contributing, I heard smurf is around this vicinity

smurf
we have raise alot of security issues lately but you werent contributing
Time to create page: 0.143 seconds