Site-to-Site VPN

Answered Question
Aug 13th, 2010
User Badges:

We have two ASA's for both locations.  I see this document on how to configure site-to-site VPN.    I am using port 0/0 for outside interface and port 0/1 for inside interface to configure VPN client.  Would you use port 0/2 to configure site-to-site VPN?  Would you use the public IP address to configure site-to-site VPN?  Do you have any other suggestions?  Do you have a brief notes on how configure site-to-site VPN?


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html


Thanks.


Jill

Correct Answer by JORGE RODRIGUEZ about 6 years 8 months ago

Hi.. apology for the delay..  looked at both  configs but could not decipher the L2L tunnel, I see  the RA vpn tunnels  but not the l2l tunnel you created .


So looking at your logical information was able to understand your topology a bit, I am not to clear why you have in both Corporate and Remote a network of 192.168.100.0/24  being routed through an inside gateway at each end , perhaps you can explain.


In the mean time I have created a script for your new  L2L tunnel between Corporate and Remote site, assuming there is no other connections between them that we are not aware off so I am creating this script based no on the 192.168.100.0/24 but the other subnets in them.



Base on CORPORATE logical IP lets assume that on this tunnel inside LAN subnet in remote site 72.30.1.0/24 will access Corporate LAN subnet 66.102.10.0/24 and 66.102.1.0/24 which traffic will not be nated  so we will use what your existing nona alc.


Corporate - Network

Outside ip 66.102.9.17 255.255.255.0

Inside  ip 66.102.10.1 255.255.255.0

Inside subnet 66.102.1.0/24

Inside subnet 66.102.10.0/24   via 66.102.10.254

Inside subnet 66.102.102.0/24  via 66.102.9.1 1

Inside subnet 66.102.216.0/24  via 66.102.10.254

Inside subnet 66.102.254.0/24  via 66.102.9.1 1

Inside subnet 192.168.100.0/24 via 66.102.10.254



This usually is the process I use.

Corporate network Requirements to build the tunnel , I like to do it in this order.

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list -  and  apply nat exempt  rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group



access-list outside_remote_cryptomap extended permit ip  72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list outside_remote_cryptomap extended permit ip  72.30.1.0 255.255.255.0 66.102.1.0  255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0  255.255.255.0

nat (inside) 0 access-list nonat


crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300



crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_remote_cryptomap 

crypto map outside_map 3 set pfs  group2

crypto map outside_map 3 set peer  72.30.2.17



tunnel-group 72.30.2.17 type ipsec-l2l

tunnel-group 72.30.2.17 ipsec-attributes

pre-shared-key  < Tunnel***secret***key>



This tunnel policy above is complete for Corporate side, you have to do the same on other side matching VPN Phase-1

and Phase-2 Policies  and invert the access-list  on the REMOTE firewall and change the peer to be the corporate side.

lest jump on REMOTE firewall next.






/////////////////////////////////////////



REMOTE SITE


Outside ip 72.30.2.17 255.255.255.0


Inside  ip 72.30.3.1 255.255.255.0 (lan)

Inside subnet 72.30.1.0/24     via 72.30.3.254

Inside subnet 72.30.3.0/24     via 72.30.3.254

Inside subnet 72.30.132.0/24   via 72.30.2.1 1

Inside subnet 72.30.216.0/24   via 72.30.3.254

Inside subnet 72.30.254.0/24   via 72.30.2.1 1

Inside subnet 192.168.100.0/24 via 72.30.3.254



access-list outside_corporate_cryptomap extended permit ip  66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list outside_corporate_cryptomap extended permit ip  66.102.1.0  255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.1.0  255.255.255.0 72.30.1.0 255.255.255.0

nat (inside) 0 access-list nonat



crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300



crypto ipsec transform-set CORPORATE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_corporate_cryptomap 

crypto map outside_map 3 set pfs  group2

crypto map outside_map 3 set peer  66.102.9.17



tunnel-group 66.102.9.17 type ipsec-l2l

tunnel-group 66.102.9.17 ipsec-attributes

pre-shared-key  < Tunnel***secret***key>




You can add networks in the cryoto acl and nonat acl as you work your way on permiting more networks between the two

corprate and remote site.


To answer your other question ,  if you have a spare ASA firewall  it may be possible to simulate provided you will have to have a spare public IP for your outside interface and perhaps connect the inside on a separate switch creating a LAN inside subnet for it  for creating the tunnel.



Hope this help


Regards

Correct Answer by JORGE RODRIGUEZ about 6 years 8 months ago

Yes , follow that same link example ,    just read the link carefully ,   try to build the tunnel in command line, just as in the example but using your IP scheme of course , ASDM gui sometimes may get you confused,   try creating a script config for each firewall separately , use notepad , when you think you have a script built you can post the configuration script here in this thread for us to look at it before you enter the script in the firewalls.


You can use this link as well  for both gui and command line.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml



Correct Answer by JORGE RODRIGUEZ about 6 years 8 months ago

Hi Diane,


You do not need  to create another (inside port )  for  your L2L  vpn,   the link you have and link provided by Asimalik  provides all the information you need.

If you  need to create a L2L VPN  to another gateway  through the internet generally you will use the interface in your firewall facing the internet, generally in ASA firewall most people label their  port ethernet0/0 as their outside interface  that is configured  statically with a public IP address,  the outside will be the  vpn termination point in your firewall,   and the other end VPN gateway your firewall  will be peering with will be the far end VPN termination point .


The link provided by Asimalik for example depicts a simple network at both ends  (inside and outside) , you have an inside interface which houses or routes your LAN subnet and then your outside interface. When you create the VPN  you will enable isakmp and crypto map to the outside interface, this will enable VPN on the outside.  The same rule applies  if for example   the VPN  connection was coming from another interface but not to get you confused I do not think this is your case thus  will not elaborate on this.  So from your initial request seems to me you simply need to VPN  peer with another network  using the internet if this is so  your requirements is on the link above to create the l2l VPN.



Regards

Correct Answer by Asim Malik about 6 years 8 months ago

Review this document for configuration example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml


Let me know if this helps

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
jill.johnson Sun, 08/15/2010 - 17:10
User Badges:

Thanks for your prompt response and information.  If I read the documentation correctly, I need to create a separate inside port for site-to-site VPN on the ASA 5550.   Do you have a short notes on how to configure site-to-site VPN?


Thanks.


Diane

Correct Answer
JORGE RODRIGUEZ Sun, 08/15/2010 - 19:51
User Badges:
  • Green, 3000 points or more

Hi Diane,


You do not need  to create another (inside port )  for  your L2L  vpn,   the link you have and link provided by Asimalik  provides all the information you need.

If you  need to create a L2L VPN  to another gateway  through the internet generally you will use the interface in your firewall facing the internet, generally in ASA firewall most people label their  port ethernet0/0 as their outside interface  that is configured  statically with a public IP address,  the outside will be the  vpn termination point in your firewall,   and the other end VPN gateway your firewall  will be peering with will be the far end VPN termination point .


The link provided by Asimalik for example depicts a simple network at both ends  (inside and outside) , you have an inside interface which houses or routes your LAN subnet and then your outside interface. When you create the VPN  you will enable isakmp and crypto map to the outside interface, this will enable VPN on the outside.  The same rule applies  if for example   the VPN  connection was coming from another interface but not to get you confused I do not think this is your case thus  will not elaborate on this.  So from your initial request seems to me you simply need to VPN  peer with another network  using the internet if this is so  your requirements is on the link above to create the l2l VPN.



Regards

jill.johnson Sun, 08/15/2010 - 21:24
User Badges:

Thanks Jorgemcse.  If the Remote Site has ASA 5520 or 5540, do I still follow the same example as ASA 5505 (in the link that Asimalik provided)?  Thanks.

Correct Answer
JORGE RODRIGUEZ Mon, 08/16/2010 - 08:34
User Badges:
  • Green, 3000 points or more

Yes , follow that same link example ,    just read the link carefully ,   try to build the tunnel in command line, just as in the example but using your IP scheme of course , ASDM gui sometimes may get you confused,   try creating a script config for each firewall separately , use notepad , when you think you have a script built you can post the configuration script here in this thread for us to look at it before you enter the script in the firewalls.


You can use this link as well  for both gui and command line.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a87f7.shtml



jill.johnson Mon, 08/16/2010 - 13:07
User Badges:

Thanks Jorgemcse for your prompt response and information.  Your link is helpful.  I do not have access to the ASA of the remote site.  So, I just modified my config and made it to a Remote site ASA.  Attached are two configs:  one for the Corporate office and the other one is for the Remote office.  I will wait for you before I add these statements to my ASA.  My ASA is also setup for Remote Access for Cisco VPN client.


Does it matter what type of ASA (5510, 5520, etc.) the Remote Site has?  Please let me know if you need additional information.  Thanks again.

jill.johnson Mon, 08/16/2010 - 13:15
User Badges:

Hi Jorgemcse,


One more question:  If I had another ASA, is it possible for me to simulate the Remote site ASA using my current network?  Thanks.

Correct Answer
JORGE RODRIGUEZ Tue, 08/17/2010 - 09:34
User Badges:
  • Green, 3000 points or more

Hi.. apology for the delay..  looked at both  configs but could not decipher the L2L tunnel, I see  the RA vpn tunnels  but not the l2l tunnel you created .


So looking at your logical information was able to understand your topology a bit, I am not to clear why you have in both Corporate and Remote a network of 192.168.100.0/24  being routed through an inside gateway at each end , perhaps you can explain.


In the mean time I have created a script for your new  L2L tunnel between Corporate and Remote site, assuming there is no other connections between them that we are not aware off so I am creating this script based no on the 192.168.100.0/24 but the other subnets in them.



Base on CORPORATE logical IP lets assume that on this tunnel inside LAN subnet in remote site 72.30.1.0/24 will access Corporate LAN subnet 66.102.10.0/24 and 66.102.1.0/24 which traffic will not be nated  so we will use what your existing nona alc.


Corporate - Network

Outside ip 66.102.9.17 255.255.255.0

Inside  ip 66.102.10.1 255.255.255.0

Inside subnet 66.102.1.0/24

Inside subnet 66.102.10.0/24   via 66.102.10.254

Inside subnet 66.102.102.0/24  via 66.102.9.1 1

Inside subnet 66.102.216.0/24  via 66.102.10.254

Inside subnet 66.102.254.0/24  via 66.102.9.1 1

Inside subnet 192.168.100.0/24 via 66.102.10.254



This usually is the process I use.

Corporate network Requirements to build the tunnel , I like to do it in this order.

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list -  and  apply nat exempt  rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group



access-list outside_remote_cryptomap extended permit ip  72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list outside_remote_cryptomap extended permit ip  72.30.1.0 255.255.255.0 66.102.1.0  255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.10.0 255.255.255.0

access-list nonat extended permit ip 72.30.1.0 255.255.255.0 66.102.1.0  255.255.255.0

nat (inside) 0 access-list nonat


crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300



crypto ipsec transform-set REMOTE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_remote_cryptomap 

crypto map outside_map 3 set pfs  group2

crypto map outside_map 3 set peer  72.30.2.17



tunnel-group 72.30.2.17 type ipsec-l2l

tunnel-group 72.30.2.17 ipsec-attributes

pre-shared-key  < Tunnel***secret***key>



This tunnel policy above is complete for Corporate side, you have to do the same on other side matching VPN Phase-1

and Phase-2 Policies  and invert the access-list  on the REMOTE firewall and change the peer to be the corporate side.

lest jump on REMOTE firewall next.






/////////////////////////////////////////



REMOTE SITE


Outside ip 72.30.2.17 255.255.255.0


Inside  ip 72.30.3.1 255.255.255.0 (lan)

Inside subnet 72.30.1.0/24     via 72.30.3.254

Inside subnet 72.30.3.0/24     via 72.30.3.254

Inside subnet 72.30.132.0/24   via 72.30.2.1 1

Inside subnet 72.30.216.0/24   via 72.30.3.254

Inside subnet 72.30.254.0/24   via 72.30.2.1 1

Inside subnet 192.168.100.0/24 via 72.30.3.254



access-list outside_corporate_cryptomap extended permit ip  66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list outside_corporate_cryptomap extended permit ip  66.102.1.0  255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.10.0 255.255.255.0 72.30.1.0 255.255.255.0

access-list nonat extended permit ip 66.102.1.0  255.255.255.0 72.30.1.0 255.255.255.0

nat (inside) 0 access-list nonat



crypto isakmp policy 3

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86300



crypto ipsec transform-set CORPORATE esp-3des esp-sha-hmac

crypto map outside_map 3 match address outside_corporate_cryptomap 

crypto map outside_map 3 set pfs  group2

crypto map outside_map 3 set peer  66.102.9.17



tunnel-group 66.102.9.17 type ipsec-l2l

tunnel-group 66.102.9.17 ipsec-attributes

pre-shared-key  < Tunnel***secret***key>




You can add networks in the cryoto acl and nonat acl as you work your way on permiting more networks between the two

corprate and remote site.


To answer your other question ,  if you have a spare ASA firewall  it may be possible to simulate provided you will have to have a spare public IP for your outside interface and perhaps connect the inside on a separate switch creating a LAN inside subnet for it  for creating the tunnel.



Hope this help


Regards

jill.johnson Tue, 08/17/2010 - 10:12
User Badges:

Thanks very much for taking time to work on the config for me, Jorgemcse.  I am sorry for confusing you with my configs since they also include Remote Access.  I will follow your instructions and get back to you to let you know the results.  Thanks again for taking time to help me out.

jill.johnson Sun, 08/22/2010 - 21:11
User Badges:

Hi Jorgemcse,


Thank you again for taking time to help me configure site-to-site VPN.  I need to add another ASA from the remote office.  How would you add the second ASA from the remote office to my current config at the Main office?  Thanks.

Richard Burts Sun, 08/22/2010 - 21:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jill


I am not clear in your follow up question whether you need to do an ASA in another remote office (pretty easy) or another ASA in the same remote office (we would need additional information, such as is this to be active/standby failover for ASA or is this 2 independent ASAs each processing certain traffic).


Assuming that you need to add another remote ste with ASA to do another LAN to LAN VPN then you can take parts of this config and use them as a model of what to add for the second remote site. As suggested before do these steps:

a- define crypto acl for this l2l tunnel - traffic that will be encrypted

b- define nonat access-list -  and  apply nat exempt  rule in interface (inside)

c- define VPN Phase-1 config

d- define VPN Phase-2 config

e- create tunnel-group


I would suggest that the crypto acl for the new tunel should be a separate acl for what you configured for the first. tunnel.

You would usethe same nonat acl (just add additional entries in the same acl).

Depending on the requirements the ISAKMP policy might be the same or might be different.

For IPSec you want another instance of the same crypto map. If you are using crypto map outside_map 3 then you might want to create crypto map outside_map 5

And you would need to configure another tunnel-group for the new connection.


The configuration of the remote site would be quite similar to the example previously given, with changes to reflect different addressing etc.


HTH


Rick

jill.johnson Sun, 08/22/2010 - 21:50
User Badges:

Rick,


Thanks very much for your prompt response and information.  Sorry for not making my question clear.  You are correct.  I am adding another remote site with the ASA to do LAN-to-LAN.  Is it possible for you to write me the sample config to add the second LAN-to-LAN?  Also, is there a way to find out the password for the Pre-shared-key?  Thanks.

Actions

This Discussion