10-01-2009 10:55 AM - edited 03-06-2019 07:58 AM
My home office has a VPN 3000 concentrator. We have an ASA 5505. We would like to
Connect to the home office with using the VPN of the ASA 5505 but not to have all traffic
Go through the home office ( Split tunneling?). I have looked for examples but I have yet to find any.
Can we use this hardware or do we need other devices? If we can do you have any examples?
10-01-2009 11:24 AM
Here's some configuration guides-
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html#anchor15
Hope it helps.
10-01-2009 08:14 PM
Here are the configuration examples for the ASA devices.
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
10-02-2009 08:58 AM
ASA 5505's will work fine for that, it is called an L2L (Lan-to-LAN) tunnel.
There are some key things you need to identify before you begin, is the ASA behind a device that is performing NAT? If so you will need to enable nat-traversal on the ASA (isakmp nat-traversal).
You will also need to identify the phase 1 and phase 2 crypto settings:
Phase 1 (ISAKMP)
Encryption type (AES, 3DES)
Hash (SHA, MD5)
Hellman Group (Typically group 2)
Lifetime (Default is 86400)
Authentication type (Probably pre-shared key)
Phase 2 (Probably IPSEC)
Are you going to use PFS (easiest to just disable it)
The IP address of the end device
Transform set to use (3DES/MD5, 3DES/SHA, AES/Md5 etc.)
Next you need to identify local traffic, remote traffic and traffic not to go through the tunnel (internet etc, IE Split tunnel).
Now we can start building the configuration. I would start with the Access-list:
Let's first permit the local network to talk to the remote network (local is 10.1.1.0/24, remote is 10.2.2.0/24 in this example):
access-list 100 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
Now we need to specify that when we send traffic to that destination, we don't want to NAT the traffic (note, the ACL name is "nonat" this name should match whatever you already have configured in the line "nat (inside) 0 access-list nonat" if that is not already configured, you need to add it).
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
This will also define your split tunnel, as anything not defined in the access-lists will be NAT'd out your normal connection.
Next you need to configure your transform sets, this will define all of your transfrom sets, the lower case are the commands, the upper case lines are the "names" that you will reference in phase 2 configurations, you can copy and past this into your ASA, it wont hurt anything:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
For phase 1 configuration, here are 2 examples, first one uses 3DES and Md5, the second uses AES and SHA, you can copy and paste those also, you can have as many ISAKMP policies as you would like, just as long as there is a match on both sides:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
You also need to enable phase 1 on the outside interface:
crypto isakmp enable outside
and if you need to enable nat-t:
crypto isakmp nat-traversal
Now you need to config phase 2 (replace
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
Lastly you will need to setup a tunnel-group, use the EXACT same IP you put in your phase 2 public IP:
tunnel-group
tunnel-group
pre-shared key
If you are doing an EzVPN connection, than this is going to be a bit different, but that is the L2L configuration for the ASA.
HTH,
Craig
10-02-2009 09:38 AM
Thanks for all the help. I was using EzVPN. I will follow the guides and see if I can get it to work.
Rich
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: