Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN ASA5520

Hi There , I am trying to setup a site to site VPN to one of our clients, can you please help with the CLI commands for this , details are :

Client Side:

Client name : Client1

Client 1 Public IP : 210.213.x.x

Client 1 Private Network: 192.168.154.0/24

Client1 Internal ip address : 192.168.154.10

Encryption:3DES,

Authentication: SHA1

Sharedkey: passw0rd123!

Our Side

Public IP address : 213.129.x.x ( Outside)

Internal Network: 192.168.104.0 / 22 ( Inside4)

Same Encryption and Authentication.

Many Thanks and much appreciated

Rab

1 REPLY
New Member

Re: Site to Site VPN ASA5520

Hi, I think you should use aes128 rather than aes because of better performance, So I am writing these config accordingly. you can 3des if you want.

Client1 configs are below:

access-list out_1_crypto line 1 extended permit ip 192.168.154.0 255.255.255.0 192.168.104.0 255.255.255.0
access-list in_nat0_outbound line 1 extended permit ip 192.168.154.0 255.255.255.0 192.168.104.0 255.255.255.0

crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-128
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 86400
cyrpto ipsec transform-set esp-aes-128-sha esp-aes-128 esp-sha-hmac
crypto map client2_map 1 match address out_1_cryptomap
crypto map client2_map 1 set pfs group5
crypto map client2_map 1 set peer 213.129.X.X
crypto map client2_map 1 set transform-set esp-aes-128-sha
nat (in) 0 access-list in_nat0_outbound  tcp 0 0 udp 0

tunnel-group 213.129.X.X type ipsec-l2l
tunnel-group 213.129.x.x ipsec-attributes
pre-shared-key passw0rd123!
isakmp keepalive threshold 10 retry 2

-----------------------------------------------------------

Client2 config are below:

---------

access-list out_1_crypto line 1 extended permit ip 192.168.104.0 255.255.255.0 192.168.154.0 255.255.255.0
access-list in_nat0_outbound line 1 extended permit ip 192.168.104.0 255.255.255.0 192.168.154.0 255.255.255.0

crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encryption aes-128
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 5
crypto isakmp policy 10 lifetime 84600
cyrpto ipsec transform-set esp-aes-128-sha esp-aes-128 esp-sha-hmac
crypto map client1_map 1 match address out_1_crypto
crypto map client1_map 1 set peer 210.213.x.x
crypto map client1_map 1 set pfs group5
crypto map client1_map 1 set transform-set esp-aes-128-sha

nat (in) 0 access-list in_nat0_outbound tcp 0 0 udp 0

tunnel-group 210.213.x.x type ipsec-l2l
tunnel-group 210.213.x.x ipsec-attributes
pre-shared-key passw0rd123!
isakmp keepalive threshold 10 retry 2

195
Views
0
Helpful
1
Replies
CreatePlease login to create content