Basic ASA Lan2Lan VPN Example

by jimmy on 27 February, 2012 · 5 comments

Or – ASA Lan2Lan-VPN for dummies.

 

I often get questions related to Lan2Lan-tunnels in ASA. This post serves as a cheat-sheet for different software versions.


Pix v6.x

 

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp key cisco123 address 5.6.7.8 netmask 255.255.255.255

access-list 100 permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
crypto ipsec transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE match address 100
crypto map CMAP_OUTSIDE set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

access-list nonat_inside permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
nat (inside) 0 access-list nonat_inside

sysopt connection permit-ipsec

 

Pix/ASA v7.0 – 8.2

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
pre-shared-key cisco123

access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0

crypto ipsec transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

access-list nonat_inside permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
nat (inside) 0 access-list nonat_inside

ASA v8.3+

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
ikev1 pre-shared-key cisco123

access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0

crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

object network MY-LAN
subnet 10.0.X.0 255.255.255.0
object network HIS-LAN
subnet 10.0.Y.0 255.255.255.0
nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN
  • Will

    This is an excellent article.  As someone who is slowly migrating from ASA 7x configs to an ASA running 8.4 I found it very useful.

    Any chance on covering a L2L VPN that has to use NAT on one side?

    My example, I have a L2L VPN with a vendor and they need to connect to 1.2.3.4 but they already have a 1.2.3.4 local to their site so I need to NAT my 1.2.3.4 to 5.6.7.8.  I’m getting a bit muddled with the who NAT but need the real IP in the access list but VPN traffic has to go to 5.6.7.8 etc.

    Thanks, love the Blog, it’s helped me out a few times.

    • Glitchen

      object network xlate_obj-100.64.9.1_32
        host 100.64.9.1
      object network xlate_obj-172.31.1.10_32
        host 172.31.1.10
      object network xlate_obj-100.64.9.10_32 
        host 100.64.9.10

       
      object-group network RICHWOOD_ACCESS_SUBNETS
       network-object 172.31.0.0 255.255.252.0

      object-group network SCHMIDT_REMOTE_NETWORK
       network-object 100.64.8.0 255.255.255.0
       

      access-list VPN_to_SCHMIDT remark VPN Match list for Traffic between Richwood and Schmidt
      access-list VPN_to_SCHMIDT extended permit ip host 100.64.9.1 100.64.8.0 255.255.255.0

      nat (Inside,Outside) 1 source dynamic RICHWOOD_ACCESS_SUBNETS pat-pool xlate_obj-100.64.9.1_32 destination static SCHMIDT_REMOTE_NETWORK SCHMIDT_REMOTE_NETWORK
      nat (Inside,Outside) 2 source static xlate_obj-172.31.1.10_32 xlate_obj-100.64.9.10_32 destination static SCHMIDT_REMOTE_NETWORK SCHMIDT_REMOTE_NETWORK

      crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac 
      crypto map internet_map 10 match address VPN_to_SCHMIDT
      crypto map internet_map 10 set peer  216.68.4.10
      crypto map internet_map 10 set ikev1 transform-set ESP-AES256-SHA
      crypto map internet_map 10 set security-association lifetime seconds 28800

  • James

    Hello ,

    Please help me to convert this command of pix 6.3 to ASA 8.4.

    global (outside) 1 212.93.216.179
    nat (DMZ) 0 access-list nonat
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,DMZ) 10.16.124.0 10.16.124.0 netmask 255.255.xx.0 0 0
    static (inside,DMZ) 10.31.144.0 10.31.144.0 netmask 255.255.xx.0 0 0

    Thank you,
    James

    • http://blogg.kvistofta.nu/ Jimmy Larsson

      James!

      object network any_inside
       subnet 0.0.0.0 0.0.0.0
       nat (inside,outside) dynamic 212.93.216.179

      object network any_dmz
       subnet 0.0.0.0 0.0.0.0
       nat (dmz,outside) dynamie 212.93.216.179

      Note that v8.4 by default does NOT address translate. 

  • Gustav

    Hey, Jimmy!
    I would like to bother you for a moment with a question…

    I need to connect a remote LAN (site B) located behind a Cisco ASA5505 to a central network (site A) behind a Cisco ASA 5510 using a L”L VPN with IPSec. I’ve done this a lot of times but this time I also need to tunnel site B’s Internet traffic to go through site A’s ASA. Will it be as simple as modifiyng the crypto ACL’s like below?

    Site A
    access-list outside_map permit ip any b.b.b.b 255.255.255.0

    Site B
    access-list outside_map permit b.b.b.b 255.255.255.0 any

    I suppose I also need to add a “same-security-traffic permit intra-interface” on the outside interface facing the Internet on site A’s ASA (and perhaps a NAT-rule in both ends?). Am I on to something here or is there a completely different best practice? Thank you so much!

Previous post:

Next post: