Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 800 VPN config to new ASA5505

I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both.  I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA.  Specifically, can't figure out how to set the pre-shared key.  On the Cisco 800 it's:

crypto isakmp key <THE_KEY> address <REMOTE_OFFICE_IP>

That doesn't seem to work on the ASA.  Can anyone help out with this?  Here is my current config on the Cisco 800...

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key

<THE_KEY> address <REMOTE_OFFICE_IP>

!

!

crypto ipsec transform-set DUMAC3 esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map mymap 10 ipsec-isakmp

set peer 75.148.153.217

set security-association lifetime seconds 36000

set transform-set DUMAC3

match address 101

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: Cisco 800 VPN config to new ASA5505

in your crypto-maps, the "10" and "65535" are the sequence-numbers. A combined CM could look like that:

crypto map primaryisp_map 10 match address 101

crypto map primaryisp_map 10 set peer 99.119.80.165

crypto map primaryisp_map 10 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
9 REPLIES
VIP Purple

Cisco 800 VPN config to new ASA5505

On the ASA, the PSK is configured in the Tunnel-Group:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html#wp1042423


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco 800 VPN config to new ASA5505

Thanks for that.  I think I'm making some progress.  Here is what I have so far...

crypto map houston 10 match address 101

crypto map houston 10 set peer 99.119.80.165

crypto ipsec ikev1 transform-set DUMAC3 esp-3des esp-md5-hmac

crypto map houston 10 set ikev1 transform-set DUMAC3

tunnel-group 99.119.80.165 type ipsec-l2l

tunnel-group 99.119.80.165 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

access-list 101 extended permit ip 192.168.1.0 255.255.255.0 192.168.7.0 255.255.255.0

Is there anything else that I will need to do for this?  Add nat rules so the VPN traffic isn't NAT'd?  Apply the crypto map to an interface?

VIP Purple

Cisco 800 VPN config to new ASA5505

if your router doesn't IOS 15.2, then you don't need the IKEv2-config on the ASA.

Yes, the crypto map has to be applied to the interface and you need to exempt the vpn-traffic from translation with Identity NAT:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1102289


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco 800 VPN config to new ASA5505

Thanks again.  One more question... I already have a crypto map on that interface for my RA ipsec VPN (Cisco VPN Client).  Can I also apply this one or do I need to edit the existing one?  If I need to edit it, what needs to be changed?

Here is my current crypto map:


crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

VIP Purple

Re: Cisco 800 VPN config to new ASA5505

Only one crypto-map is allowed per interface. So everything has to go into one CM. Use lower sequence-number for your site-to-site tunnels and a high number (65535) for remote-access.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco 800 VPN config to new ASA5505

Could you explain a little further on that?  Not sure how I would use lower/higher seq numbers when I can only have 1 per interface....

VIP Purple

Re: Cisco 800 VPN config to new ASA5505

in your crypto-maps, the "10" and "65535" are the sequence-numbers. A combined CM could look like that:

crypto map primaryisp_map 10 match address 101

crypto map primaryisp_map 10 set peer 99.119.80.165

crypto map primaryisp_map 10 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Cisco 800 VPN config to new ASA5505

Thanks for all the help!  That makes more sense now.  I'll be attempting to implement this tomorrow night.  Just want to make sure everything is lined up.  Here is my "final" config... anything you notice that should be added/changed (obviously it's tough to just look at it and know without testing).  Thanks again!

object network inside

subnet 192.168.1.0 255.255.255.0

!

object network houston-network

subnet 192.168.7.0 255.255.255.0

!

access-list syracuse-houston-acl extended permit ip object inside object houston-network

!

nat (inside,primaryisp) source static inside inside destination static houston-network houston-network

!

crypto ipsec ikev1 transform-set DUMAC3 esp-3des esp-md5-hmac

!

crypto map primaryisp_map 1 match address syracuse-houston-acl

crypto map primaryisp_map 1 set peer 99.119.80.165

crypto map primaryisp_map 1 set ikev1 transform-set DUMAC3

crypto map primaryisp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map primaryisp_map interface primaryisp

!

crypto ikev1 enable primaryisp

!

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 36000

!

tunnel-group 99.119.80.165 type ipsec-l2l

tunnel-group 99.119.80.165 ipsec-attributes

ikev1 pre-shared-key *****

VIP Purple

Re: Cisco 800 VPN config to new ASA5505

This partial config looks good for the S2S-VPN. Nowadays you perhaps should use better crypto (SHA, AES, DH5), but it could work anyway.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
593
Views
8
Helpful
9
Replies
CreatePlease login to create content