- Posts: 1390
- Thank you received: 0
Anyone got a ASA Site-to-Site VPN Guide
15 years 10 months ago #28709
by Smurf
Alright sose, I have started a new job around a year ago and unfortunately we dont cover Cisco. Also, its a 12 hour day for me with the commute to and from work. This is why i dont get chance to frequent the forum much these days
2009 i am trying to pop in now and again to try and get my hand in again, its going to be very hard for me though as i plan to start an Open University Masters in Business Administration (MBA) which I have heard is very hard work.
Take care
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Anyone got a ASA Site-to-Site VPN Guide
sorry for not contributing, I heard smurf is around this vicinity
smurf
we have raise alot of security issues lately but you werent contributing
Alright sose, I have started a new job around a year ago and unfortunately we dont cover Cisco. Also, its a 12 hour day for me with the commute to and from work. This is why i dont get chance to frequent the forum much these days
2009 i am trying to pop in now and again to try and get my hand in again, its going to be very hard for me though as i plan to start an Open University Masters in Business Administration (MBA) which I have heard is very hard work.
Take care
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
15 years 10 months ago #28742
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Anyone got a ASA Site-to-Site VPN Guide
Hi Chris,
Its an ASA Site-to-Site VPN. We are replacing the VPN Concentrator 3020 with an ASA. The Concentrator is currently setup to Cisco ADSL Routers for the VPN connectivity. Not really done much with ASA's as my training was on Pix around 5 years ago and with the addition of the EasyVPN stuff in the ASA i beleive its slightly different in its config for Site-to-Site.
Was just after a quick one two (dont really need to be too detailed as i have the understanding already) on setting it up
Cheers
Wayne
Its an ASA Site-to-Site VPN. We are replacing the VPN Concentrator 3020 with an ASA. The Concentrator is currently setup to Cisco ADSL Routers for the VPN connectivity. Not really done much with ASA's as my training was on Pix around 5 years ago and with the addition of the EasyVPN stuff in the ASA i beleive its slightly different in its config for Site-to-Site.
Was just after a quick one two (dont really need to be too detailed as i have the understanding already) on setting it up
Cheers
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
15 years 10 months ago #28753
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Anyone got a ASA Site-to-Site VPN Guide
Cheers S0lo, hadn't come across the last link so thank 
Tried to get it working today and it wouldn't even establish Phase 1, Doh.......Will post portions of the config probably tomorrow, for ya to take a look through. Not found much references to version 8 and there doesn't seem to be any books either so its going to be painful to get this thing up and running, especially since i only have Saturday Mornings to work on it and its a live system so need to leave it in a working state.
TTFN
Tried to get it working today and it wouldn't even establish Phase 1, Doh.......Will post portions of the config probably tomorrow, for ya to take a look through. Not found much references to version 8 and there doesn't seem to be any books either so its going to be painful to get this thing up and running, especially since i only have Saturday Mornings to work on it and its a live system so need to leave it in a working state.
TTFN
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
15 years 10 months ago #28768
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Anyone got a ASA Site-to-Site VPN Guide
Right peeps, this is the relevent configs, if anyone spots anything obvious then please let me know
ASA (Version
NoNAT Access-List
[code:1]access-list acl_nat extended permit ip any 172.29.1.0 255.255.255.0[/code:1]
Interesting Traffic
[code:1]access-list ip_29_1 extended permit ip any 172.29.1.0 255.255.255.0[/code:1]
Apply NoNAT
[code:1]nat (inside) 0 access-list acl_nat[/code:1]
Allowing all traffic outbound
[code:1]access-group Allow-ALL in interface inside[/code:1]
Crypto IPsec Commands
[code:1]crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-aes128-md5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-aes128-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-aes192-md5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set esp-aes192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set esp-aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set mytrans esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside[/code:1]
My Crypto Map
[code:1]crypto map vpnsmap 130 match address ip_29_1
crypto map vpnsmap 130 set peer w.x.y.z
crypto map vpnsmap 130 set transform-set mytrans
crypto map vpnsmap 130 set nat-t-disable
crypto map vpnsmap interface outside[/code:1]
Crypto isakmp commands
[code:1]
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000[/code:1]
Tunnel Group
[code:1]
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key *[/code:1]
The default tunnel groups are still there along with webvpn settings.
Router
crypto isakmp command
[code:1]crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address a.b.c.d[/code:1]
Crypto Ipsec commands
[code:1]crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec df-bit clear[/code:1]
Crypto Map Commands
[code:1]crypto map VPN 10 ipsec-isakmp
description internal lan address
set peer a.b.c.d
set transform-set strong
match address VPN-INT-TRAF[/code:1]
Interesting Traffic
[code:1]
ip access-list extended VPN-INT-TRAF
remark VPN interesting traffic
permit ip 172.29.1.0 0.0.0.255 any[/code:1]
This router is working ok to a VPN Concentrator and we just changed the Public IP Addresses.
Anyone spot anything missing ?
Regards
Wayne
ASA (Version
NoNAT Access-List
[code:1]access-list acl_nat extended permit ip any 172.29.1.0 255.255.255.0[/code:1]
Interesting Traffic
[code:1]access-list ip_29_1 extended permit ip any 172.29.1.0 255.255.255.0[/code:1]
Apply NoNAT
[code:1]nat (inside) 0 access-list acl_nat[/code:1]
Allowing all traffic outbound
[code:1]access-group Allow-ALL in interface inside[/code:1]
Crypto IPsec Commands
[code:1]crypto ipsec transform-set esp-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set esp-aes128-md5 esp-aes esp-md5-hmac
crypto ipsec transform-set esp-aes128-sha esp-aes esp-sha-hmac
crypto ipsec transform-set esp-aes192-md5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set esp-aes192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set esp-aes256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set esp-aes256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set esp-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set esp-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set mytrans esp-3des esp-md5-hmac
crypto ipsec df-bit clear-df outside[/code:1]
My Crypto Map
[code:1]crypto map vpnsmap 130 match address ip_29_1
crypto map vpnsmap 130 set peer w.x.y.z
crypto map vpnsmap 130 set transform-set mytrans
crypto map vpnsmap 130 set nat-t-disable
crypto map vpnsmap interface outside[/code:1]
Crypto isakmp commands
[code:1]
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp ipsec-over-tcp port 10000[/code:1]
Tunnel Group
[code:1]
tunnel-group w.x.y.z type ipsec-l2l
tunnel-group w.x.y.z ipsec-attributes
pre-shared-key *[/code:1]
The default tunnel groups are still there along with webvpn settings.
Router
crypto isakmp command
[code:1]crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key * address a.b.c.d[/code:1]
Crypto Ipsec commands
[code:1]crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec df-bit clear[/code:1]
Crypto Map Commands
[code:1]crypto map VPN 10 ipsec-isakmp
description internal lan address
set peer a.b.c.d
set transform-set strong
match address VPN-INT-TRAF[/code:1]
Interesting Traffic
[code:1]
ip access-list extended VPN-INT-TRAF
remark VPN interesting traffic
permit ip 172.29.1.0 0.0.0.255 any[/code:1]
This router is working ok to a VPN Concentrator and we just changed the Public IP Addresses.
Anyone spot anything missing ?
Regards
Wayne
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.137 seconds