asa 5510

Discussion in 'Cisco' started by Andy.M.Pierson@gmail.com, Feb 21, 2008.

  1. Guest

    I have 2 asa 5510's that are in 2 different sites. I need to know how
    to get a persistent connection between the 2 sites. I have used the
    VPN wizard without success.

    I'm by no way proficient with cisco so please be nice with any
    response about needing more info, I'll get what I can if you ask.
    , Feb 21, 2008
    #1
    1. Advertising

  2. Gary Guest

    <> wrote in message
    news:...
    >I have 2 asa 5510's that are in 2 different sites. I need to know how
    > to get a persistent connection between the 2 sites. I have used the
    > VPN wizard without success.
    >
    > I'm by no way proficient with cisco so please be nice with any
    > response about needing more info, I'll get what I can if you ask.
    >
    >


    Are you asking how to setup a VPN between two ASA's

    If so let me know and I will send the config.

    G
    Gary, Feb 21, 2008
    #2
    1. Advertising

  3. Guest

    On Feb 20, 11:33 pm, "Gary" <> wrote:
    > <> wrote in message
    >
    > news:...
    >
    > >I have 2 asa 5510's that are in 2 different sites. I need to know how
    > > to get a persistent connection between the 2 sites. I have used the
    > > VPN wizard without success.

    >
    > > I'm by no way proficient with cisco so please be nice with any
    > > response about needing more info, I'll get what I can if you ask.

    >
    > Are you asking how to setup a VPN between two ASA's
    >
    > If so let me know and I will send the config.
    >
    > G


    Thats exactly what I'm trying to do.

    Thanks

    AP
    , Feb 21, 2008
    #3
  4. Gary Guest

    <> wrote in message
    news:...
    > On Feb 20, 11:33 pm, "Gary" <> wrote:
    >> <> wrote in message
    >>
    >> news:...
    >>
    >> >I have 2 asa 5510's that are in 2 different sites. I need to know how
    >> > to get a persistent connection between the 2 sites. I have used the
    >> > VPN wizard without success.

    >>
    >> > I'm by no way proficient with cisco so please be nice with any
    >> > response about needing more info, I'll get what I can if you ask.

    >>
    >> Are you asking how to setup a VPN between two ASA's
    >>
    >> If so let me know and I will send the config.
    >>
    >> G

    >
    > Thats exactly what I'm trying to do.
    >
    > Thanks
    >
    > AP
    >


    Assuming you have the right encryption (DEs and/or 3DES etc) this should
    work for you.

    Assuming ASA 1 uses external ip of 1.1.1.1 and internal of 11.11.11.11/24
    Assuming ASA 2 uses external ip of 2.2.2.2 and internal of 22.22.22.22/24
    Assuming pre shared key 3DES and MD5

    Setup a set of addresses which should not be NAT'd and hence traverse the
    VPN
    ASA 1
    access-list donotnat extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
    255.255.255.0
    ASA 2
    access-list donotnat extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0
    255.255.255.0

    Set up VPN access lists
    ASA 1
    access-list vpn1 extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
    255.255.255.0
    ASA 2
    access-list vpn1 extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0
    255.255.255.0

    Tell the ASA's what to nat and not nat
    ASA 1 and 2
    nat (inside) 0 access-list donotnat
    nat (inside) 1 0.0.0.0 0.0.0.0

    Set up your isakmp policies - 2 listed but yours may need to be different
    ASA 1 and ASA 2
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 1000
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 1
    isakmp policy 20 lifetime 1000

    Add tunnel groups
    ASA 1
    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
    pre-shared-key <whatever>
    ASA 2
    tunnel-group 1.1.1.1 type ipsec-l2l
    tunnel-group 1.1.1.1 ipsec-attributes
    pre-shared-key <whatever>

    Add transform sets
    ASA 1 and ASA 2
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto ipsec transform-set aes-md5 esp-aes-256 esp-md5-hmac

    Add crypto maps for other end
    ASA 1
    crypto map newmap 10 match address vpn1
    crypto map newmap 10 set peer 2.2.2.2
    crypto map newmap 10 set transform-set strong

    ASA 1
    crypto map newmap 10 match address vpn1
    crypto map newmap 10 set peer 1.1.1.1
    crypto map newmap 10 set transform-set strong

    That should about do it

    Also remember debug crypto isakmp etc. Very useful to see what is happening.

    regards
    Gary
    Gary, Feb 21, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Erich Reimberg N.

    Active/standby config for ASA 5510

    Erich Reimberg N., Jul 1, 2005, in forum: Cisco
    Replies:
    0
    Views:
    756
    Erich Reimberg N.
    Jul 1, 2005
  2. Barry Lance

    ASA 5510 Route Question

    Barry Lance, Nov 9, 2005, in forum: Cisco
    Replies:
    1
    Views:
    12,828
  3. brownie
    Replies:
    1
    Views:
    877
  4. Tilman Schmidt
    Replies:
    0
    Views:
    3,239
    Tilman Schmidt
    Jan 24, 2008
  5. Tilman Schmidt
    Replies:
    5
    Views:
    18,559
    Lutz Donnerhacke
    Feb 18, 2008
Loading...

Share This Page