«

I have 2 asa 5510's that are in 2 different sites. I need to know how
to get a persistent connection between the 2 sites. I have used the
VPN wizard without success.

I'm by no way proficient with cisco so please be nice with any
response about needing more info, I'll get what I can if you ask.

<> wrote in message
news:e7119f99-e012-4c11-8999-...
>I have 2 asa 5510's that are in 2 different sites. I need to know how
> to get a persistent connection between the 2 sites. I have used the
> VPN wizard without success.
>
> I'm by no way proficient with cisco so please be nice with any
> response about needing more info, I'll get what I can if you ask.
>
>

Are you asking how to setup a VPN between two ASA's

If so let me know and I will send the config.

G

On Feb 20, 11:33 pm, "Gary" <gsh...@netlink.info> wrote:
> <Andy.M.Pier...@gmail.com> wrote in message
>
> news:e7119f99-e012-4c11-8999-...
>
> >I have 2 asa 5510's that are in 2 different sites. I need to know how
> > to get a persistent connection between the 2 sites. I have used the
> > VPN wizard without success.
>
> > I'm by no way proficient with cisco so please be nice with any
> > response about needing more info, I'll get what I can if you ask.
>
> Are you asking how to setup a VPN between two ASA's
>
> If so let me know and I will send the config.
>
> G

Thats exactly what I'm trying to do.

Thanks

AP

<> wrote in message
news:833011bb-89c4-4194-9aa4-...
> On Feb 20, 11:33 pm, "Gary" <gsh...@netlink.info> wrote:
>> <Andy.M.Pier...@gmail.com> wrote in message
>>
>> news:e7119f99-e012-4c11-8999-...
>>
>> >I have 2 asa 5510's that are in 2 different sites. I need to know how
>> > to get a persistent connection between the 2 sites. I have used the
>> > VPN wizard without success.
>>
>> > I'm by no way proficient with cisco so please be nice with any
>> > response about needing more info, I'll get what I can if you ask.
>>
>> Are you asking how to setup a VPN between two ASA's
>>
>> If so let me know and I will send the config.
>>
>> G
>
> Thats exactly what I'm trying to do.
>
> Thanks
>
> AP
>

Assuming you have the right encryption (DEs and/or 3DES etc) this should
work for you.

Assuming ASA 1 uses external ip of 1.1.1.1 and internal of 11.11.11.11/24
Assuming ASA 2 uses external ip of 2.2.2.2 and internal of 22.22.22.22/24
Assuming pre shared key 3DES and MD5

Setup a set of addresses which should not be NAT'd and hence traverse the
VPN
ASA 1
access-list donotnat extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
255.255.255.0
ASA 2
access-list donotnat extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0
255.255.255.0

Set up VPN access lists
ASA 1
access-list vpn1 extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
255.255.255.0
ASA 2
access-list vpn1 extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0
255.255.255.0

Tell the ASA's what to nat and not nat
ASA 1 and 2
nat (inside) 0 access-list donotnat
nat (inside) 1 0.0.0.0 0.0.0.0

Set up your isakmp policies - 2 listed but yours may need to be different
ASA 1 and ASA 2
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 1000
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 1000

Add tunnel groups
ASA 1
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key <whatever>
ASA 2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key <whatever>

Add transform sets
ASA 1 and ASA 2
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set aes-md5 esp-aes-256 esp-md5-hmac

Add crypto maps for other end
ASA 1
crypto map newmap 10 match address vpn1
crypto map newmap 10 set peer 2.2.2.2
crypto map newmap 10 set transform-set strong

ASA 1
crypto map newmap 10 match address vpn1
crypto map newmap 10 set peer 1.1.1.1
crypto map newmap 10 set transform-set strong

That should about do it

Also remember debug crypto isakmp etc. Very useful to see what is happening.

regards
Gary