L2L IPsec tuneel configuration link (through CLI) between 2ASAs

Unanswered Question
Feb 13th, 2008
User Badges:

Hi all,


Can some one post the link to L2L IPsec tunnel configuration link between 2 ASAs (through CLI- not GUI/ASDM).


Thank you

MS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
cisco24x7 Wed, 02/13/2008 - 07:26
User Badges:
  • Silver, 250 points or more

ASA1:

External IP: 1.1.1.1

Internal IP: 192.168.1.1/24

LAN_1: 192.168.1.0/24


ASA2:

External IP: 2.2.2.2

Internal IP: 192.168.2.1/24

LAN_2: 192.168.2.0/24


Objective:


Configure IPSec between LAN_1 and LAN_2


ASA1:

sysopt connection permit-ipsec

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

isakmp enable outside

isakmp identity address

isakmp key 123456 address 2.2.2.2 no-xauth no-config

isakmp nat-t 10

isakmp policy 10 auth pre-share

isakmp policy 10 hash sha

isakmp policy 10 encr 3des

isakmp policy 10 group 2

isakmp policy life 86400

crypto ipsec trans tset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 set peer 2.2.2.2

crypto map vpn 10 set trans tset

crypto map vpn 10 set pfs group2

crypto map vpn mat address nonat

crypto map vpn interface outside


ASA2:

sysopt connection permit-ipsec

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

isakmp enable outside

isakmp identity address

isakmp key 123456 address 1.1.1.1 no-xauth no-config

isakmp nat-t 10

isakmp policy 10 auth pre-share

isakmp policy 10 hash sha

isakmp policy 10 encr 3des

isakmp policy 10 group 2

isakmp policy life 86400

crypto ipsec trans tset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 set peer 1.1.1.1

crypto map vpn 10 set trans tset

crypto map vpn 10 set pfs group2

crypto map vpn mat address nonat

crypto map vpn interface outside



Easy right?


CCIE Security

fortis123 Wed, 02/13/2008 - 09:26
User Badges:

Also, quick thing.. on ASA, do we need...


sysopt connection permit-ipsec


isakmp identity address


??? On pix , we need them, but not sure on ASA too..


please suggest..

Thank you

MS

cisco24x7 Wed, 02/13/2008 - 09:35
User Badges:
  • Silver, 250 points or more

for simplicity, yes, use them both on ASA as

well. didn't I include that in my previous

configuration "sysopt connection permit-ipsec"?

fortis123 Wed, 02/13/2008 - 09:44
User Badges:

Yes.. you did... iam planning on the below confgs to deploy... (i posted one end and other end similar with different IPs)


access-list nonat extended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0


access-list site1-site2 exended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0


nat (Inside) 0 access-list nonat


crypto ipsec transform-set myvpn esp-3des esp-md5-hmac

crypto map Outside_map 30 match address site1-site2

crypto map Outside_map 30 set peer y.y.y.y

crypto map Outside_map 30 set transform-set myvpn


isakmp policy 30 authentication pre-share

isakmp policy 30 authentication 3des

isakmp policy 30 hash md5

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp identity address



tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key 12345


crypto map Outside_map interface Outside

crypto isakmp enable Outside


Please review and suggest...


Thank you in advance

MS



cisco24x7 Wed, 02/13/2008 - 09:56
User Badges:
  • Silver, 250 points or more

Your configuration looks good. Regarding


tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key 12345


I would just enter this command:


isakmp key 12345 address y.y.y.y no-xauth no-config


That will do the trick. My command is legacy

command which the ASA will pickup just fine.


Good luck to you.


CCIE security

fortis123 Wed, 02/13/2008 - 10:06
User Badges:

Wonderful.. thank you for the clarification..

so in my config I did not put 'sysopt' command.. will that be acceptable..?


Also, the remote end peer, I have to configure by logging via SSH. Will there be any chances that any of these commands hungup 'outside' interface..? (that impact production). I had this kind of issue when I created IPSEC tunnel between routers.


Regards

MS

Actions

This Discussion