L2L IPsec tuneel configuration link (through CLI) between 2ASAs

fortis123 · ‎02-13-2008

Hi all,

Can some one post the link to L2L IPsec tunnel configuration link between 2 ASAs (through CLI- not GUI/ASDM).

Thank you

MS

cisco24x7 · ‎02-13-2008

ASA1:

External IP: 1.1.1.1

Internal IP: 192.168.1.1/24

LAN_1: 192.168.1.0/24

ASA2:

External IP: 2.2.2.2

Internal IP: 192.168.2.1/24

LAN_2: 192.168.2.0/24

Objective:

Configure IPSec between LAN_1 and LAN_2

ASA1:

sysopt connection permit-ipsec

access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 access-list nonat

isakmp enable outside

isakmp identity address

isakmp key 123456 address 2.2.2.2 no-xauth no-config

isakmp nat-t 10

isakmp policy 10 auth pre-share

isakmp policy 10 hash sha

isakmp policy 10 encr 3des

isakmp policy 10 group 2

isakmp policy life 86400

crypto ipsec trans tset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 set peer 2.2.2.2

crypto map vpn 10 set trans tset

crypto map vpn 10 set pfs group2

crypto map vpn mat address nonat

crypto map vpn interface outside

ASA2:

sysopt connection permit-ipsec

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

isakmp enable outside

isakmp identity address

isakmp key 123456 address 1.1.1.1 no-xauth no-config

isakmp nat-t 10

isakmp policy 10 auth pre-share

isakmp policy 10 hash sha

isakmp policy 10 encr 3des

isakmp policy 10 group 2

isakmp policy life 86400

crypto ipsec trans tset esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 set peer 1.1.1.1

crypto map vpn 10 set trans tset

crypto map vpn 10 set pfs group2

crypto map vpn mat address nonat

crypto map vpn interface outside

Easy right?

CCIE Security

fortis123 · ‎02-13-2008

Cool... looks great...

Thank you

MS

fortis123 · ‎02-13-2008

Also, quick thing.. on ASA, do we need...

sysopt connection permit-ipsec

isakmp identity address

??? On pix , we need them, but not sure on ASA too..

please suggest..

Thank you

MS

cisco24x7 · ‎02-13-2008

for simplicity, yes, use them both on ASA as

well. didn't I include that in my previous

configuration "sysopt connection permit-ipsec"?

fortis123 · ‎02-13-2008

Yes.. you did... iam planning on the below confgs to deploy... (i posted one end and other end similar with different IPs)

access-list nonat extended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

access-list site1-site2 exended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0

nat (Inside) 0 access-list nonat

crypto ipsec transform-set myvpn esp-3des esp-md5-hmac

crypto map Outside_map 30 match address site1-site2

crypto map Outside_map 30 set peer y.y.y.y

crypto map Outside_map 30 set transform-set myvpn

isakmp policy 30 authentication pre-share

isakmp policy 30 authentication 3des

isakmp policy 30 hash md5

isakmp policy 30 group 5

isakmp policy 30 lifetime 86400

isakmp identity address

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key 12345

crypto map Outside_map interface Outside

crypto isakmp enable Outside

Please review and suggest...

Thank you in advance

MS

cisco24x7 · ‎02-13-2008

Your configuration looks good. Regarding

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key 12345

I would just enter this command:

isakmp key 12345 address y.y.y.y no-xauth no-config

That will do the trick. My command is legacy

command which the ASA will pickup just fine.

Good luck to you.

CCIE security

fortis123 · ‎02-13-2008

Wonderful.. thank you for the clarification..

so in my config I did not put 'sysopt' command.. will that be acceptable..?

Also, the remote end peer, I have to configure by logging via SSH. Will there be any chances that any of these commands hungup 'outside' interface..? (that impact production). I had this kind of issue when I created IPSEC tunnel between routers.

Regards

MS