Basic ASA Lan2Lan VPN Example

Or – ASA Lan2Lan-VPN for dummies.

 

I often get questions related to Lan2Lan-tunnels in ASA. This post serves as a cheat-sheet for different software versions.


Pix v6.x

 

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

isakmp key cisco123 address 5.6.7.8 netmask 255.255.255.255

access-list 100 permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
crypto ipsec transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE match address 100
crypto map CMAP_OUTSIDE set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

access-list nonat_inside permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
nat (inside) 0 access-list nonat_inside

sysopt connection permit-ipsec

 

Pix/ASA v7.0 – 8.2

isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
pre-shared-key cisco123

access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0

crypto ipsec transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

access-list nonat_inside permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
nat (inside) 0 access-list nonat_inside

ASA v8.3+

crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400

tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
ikev1 pre-shared-key cisco123

access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0

crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

object network MY-LAN
subnet 10.0.X.0 255.255.255.0
object network HIS-LAN
subnet 10.0.Y.0 255.255.255.0
nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN
Tagged with: , ,
Posted in Cisco Security
One comment on “Basic ASA Lan2Lan VPN Example
  1. olgerd says:

    6.X wrong:
    crypto map CMAP_OUTSIDE 10 ipsec-isakmp
    crypto map CMAP_OUTSIDE match address 100
    crypto map CMAP_OUTSIDE set peer 5.6.7.8
    crypto map CMAP_OUTSIDE interface outside

    Correct:
    crypto map CMAP_OUTSIDE 10 ipsec-isakmp
    crypto map CMAP_OUTSIDE 10 match address 100
    crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
    crypto map CMAP_OUTSIDE 10 set transform-set MYTSET
    crypto map CMAP_OUTSIDE interface outside

Leave a Reply

Your email address will not be published.

*

Signuppp

[mc4wp_form id="2457"]
Website Security Test