02-13-2008 06:40 AM - edited 02-21-2020 03:33 PM
Hi all,
Can some one post the link to L2L IPsec tunnel configuration link between 2 ASAs (through CLI- not GUI/ASDM).
Thank you
MS
02-13-2008 07:26 AM
ASA1:
External IP: 1.1.1.1
Internal IP: 192.168.1.1/24
LAN_1: 192.168.1.0/24
ASA2:
External IP: 2.2.2.2
Internal IP: 192.168.2.1/24
LAN_2: 192.168.2.0/24
Objective:
Configure IPSec between LAN_1 and LAN_2
ASA1:
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp identity address
isakmp key 123456 address 2.2.2.2 no-xauth no-config
isakmp nat-t 10
isakmp policy 10 auth pre-share
isakmp policy 10 hash sha
isakmp policy 10 encr 3des
isakmp policy 10 group 2
isakmp policy life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 set peer 2.2.2.2
crypto map vpn 10 set trans tset
crypto map vpn 10 set pfs group2
crypto map vpn mat address nonat
crypto map vpn interface outside
ASA2:
sysopt connection permit-ipsec
access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list nonat
isakmp enable outside
isakmp identity address
isakmp key 123456 address 1.1.1.1 no-xauth no-config
isakmp nat-t 10
isakmp policy 10 auth pre-share
isakmp policy 10 hash sha
isakmp policy 10 encr 3des
isakmp policy 10 group 2
isakmp policy life 86400
crypto ipsec trans tset esp-3des esp-sha-hmac
crypto map vpn 10 ipsec-isakmp
crypto map vpn 10 set peer 1.1.1.1
crypto map vpn 10 set trans tset
crypto map vpn 10 set pfs group2
crypto map vpn mat address nonat
crypto map vpn interface outside
Easy right?
CCIE Security
02-13-2008 08:40 AM
Cool... looks great...
Thank you
MS
02-13-2008 09:26 AM
Also, quick thing.. on ASA, do we need...
sysopt connection permit-ipsec
isakmp identity address
??? On pix , we need them, but not sure on ASA too..
please suggest..
Thank you
MS
02-13-2008 09:35 AM
for simplicity, yes, use them both on ASA as
well. didn't I include that in my previous
configuration "sysopt connection permit-ipsec"?
02-13-2008 09:44 AM
Yes.. you did... iam planning on the below confgs to deploy... (i posted one end and other end similar with different IPs)
access-list nonat extended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
access-list site1-site2 exended permit ip 192.168.50.0 255.255.255.0 192.168.51.0 255.255.255.0
nat (Inside) 0 access-list nonat
crypto ipsec transform-set myvpn esp-3des esp-md5-hmac
crypto map Outside_map 30 match address site1-site2
crypto map Outside_map 30 set peer y.y.y.y
crypto map Outside_map 30 set transform-set myvpn
isakmp policy 30 authentication pre-share
isakmp policy 30 authentication 3des
isakmp policy 30 hash md5
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp identity address
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key 12345
crypto map Outside_map interface Outside
crypto isakmp enable Outside
Please review and suggest...
Thank you in advance
MS
02-13-2008 09:56 AM
Your configuration looks good. Regarding
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key 12345
I would just enter this command:
isakmp key 12345 address y.y.y.y no-xauth no-config
That will do the trick. My command is legacy
command which the ASA will pickup just fine.
Good luck to you.
CCIE security
02-13-2008 10:06 AM
Wonderful.. thank you for the clarification..
so in my config I did not put 'sysopt' command.. will that be acceptable..?
Also, the remote end peer, I have to configure by logging via SSH. Will there be any chances that any of these commands hungup 'outside' interface..? (that impact production). I had this kind of issue when I created IPSEC tunnel between routers.
Regards
MS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide