ASA 5505

Unanswered Question
Oct 1st, 2009

My home office has a VPN 3000 concentrator. We have an ASA 5505. We would like to

Connect to the home office with using the VPN of the ASA 5505 but not to have all traffic

Go through the home office ( Split tunneling?). I have looked for examples but I have yet to find any.

Can we use this hardware or do we need other devices? If we can do you have any examples?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
xcz504d1114 Fri, 10/02/2009 - 08:58

ASA 5505's will work fine for that, it is called an L2L (Lan-to-LAN) tunnel.

There are some key things you need to identify before you begin, is the ASA behind a device that is performing NAT? If so you will need to enable nat-traversal on the ASA (isakmp nat-traversal).

You will also need to identify the phase 1 and phase 2 crypto settings:

Phase 1 (ISAKMP)

Encryption type (AES, 3DES)

Hash (SHA, MD5)

Hellman Group (Typically group 2)

Lifetime (Default is 86400)

Authentication type (Probably pre-shared key)

Phase 2 (Probably IPSEC)

Are you going to use PFS (easiest to just disable it)

The IP address of the end device

Transform set to use (3DES/MD5, 3DES/SHA, AES/Md5 etc.)

Next you need to identify local traffic, remote traffic and traffic not to go through the tunnel (internet etc, IE Split tunnel).

Now we can start building the configuration. I would start with the Access-list:

Let's first permit the local network to talk to the remote network (local is, remote is in this example):

access-list 100 extended permit ip

Now we need to specify that when we send traffic to that destination, we don't want to NAT the traffic (note, the ACL name is "nonat" this name should match whatever you already have configured in the line "nat (inside) 0 access-list nonat" if that is not already configured, you need to add it).

access-list nonat extended permit ip

This will also define your split tunnel, as anything not defined in the access-lists will be NAT'd out your normal connection.

Next you need to configure your transform sets, this will define all of your transfrom sets, the lower case are the commands, the upper case lines are the "names" that you will reference in phase 2 configurations, you can copy and past this into your ASA, it wont hurt anything:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

For phase 1 configuration, here are 2 examples, first one uses 3DES and Md5, the second uses AES and SHA, you can copy and paste those also, you can have as many ISAKMP policies as you would like, just as long as there is a match on both sides:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

You also need to enable phase 1 on the outside interface:

crypto isakmp enable outside

and if you need to enable nat-t:

crypto isakmp nat-traversal

Now you need to config phase 2 (replace with the VPN concentrators IP address) also not this is using the 3DES / SHA transform set, replace that with anything you want to use from teh above list:

crypto map outside_map 1 match address outside_cryptomap_2

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

Lastly you will need to setup a tunnel-group, use the EXACT same IP you put in your phase 2 public IP:

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared key

If you are doing an EzVPN connection, than this is going to be a bit different, but that is the L2L configuration for the ASA.



rdaleigo1 Fri, 10/02/2009 - 09:38

Thanks for all the help. I was using EzVPN. I will follow the guides and see if I can get it to work.



This Discussion