Wondered if I could use your knowledge.
Currently I have all my site-to-site VPN's and Cisco Client VPN's coming into a Cisco Concentrator. But now I have these ASA's I want to start moving all this over from the Concentrator.
I have managed to move the Cisco Client users over, but I am having a little trouble with a site-to-site. It only a test at the moment but I wondered if you can see what I need to add.
Here is the setup:
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| London |=====| Internet |======| Remote |--------|
| LAN+-----------+Ext \--v-v-v-v-/ Ext+-----------+LAN |
--| 192.168.21.0 184.108.40.206 220.127.116.11 172.19.15.0 |--
| 192.168.20.0 |
The IKE Phase 1 parameters used are:
* Main mode
* DH Group 5
* pre-shared secret of "123456789"
* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used are:
* DH Group 5
* Perfect forward secrecy for rekeying
* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
Trusted networks in London are 192.168.21.0/24 and 192.168.20.0/24 (known as London_VPN_Subnets) and at the remote site are 172.19.15.0/24
The firewalls outside is 100.x.x.66 and the Internet router is 100.x.x.65
I have added the following to the config:
access-list inside_outbound_nat0_acl extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 18.104.22.168
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
crypto isakmp policy 30
crypto isakmp policy 65535
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 22.214.171.124 type ipsec-l2l
tunnel-group 126.96.36.199 ipsec-attributes
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 188.8.131.52
What am I missing, it's seems I need a route to contact this remote network, plus some access lists, any ideas?
I don't want any/many ACE's as these create 2 undirectional IPSec SA's, using host-based ACE's are not recommend as these use resources.
Many thanks if you get a chance