I have 2 asa 5510's that are in 2 different sites. I need to know how to get a persistent connection between the 2 sites. I have used the VPN wizard without success.
I'm by no way proficient with cisco so please be nice with any response about needing more info, I'll get what I can if you ask.
Are you asking how to setup a VPN between two ASA's
If so let me know and I will send the config.
G
Thats exactly what I'm trying to do.
Thanks
AP
Assuming you have the right encryption (DEs and/or 3DES etc) this should work for you.
Assuming ASA 1 uses external ip of 1.1.1.1 and internal of 11.11.11.11/24 Assuming ASA 2 uses external ip of 2.2.2.2 and internal of 22.22.22.22/24 Assuming pre shared key 3DES and MD5
Setup a set of addresses which should not be NAT'd and hence traverse the VPN ASA 1 access-list donotnat extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
255.255.255.0 ASA 2 access-list donotnat extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0Set up VPN access lists ASA 1 access-list vpn1 extended permit ip 11.11.11.0 255.255.255.0 22.22.22.0
255.255.255.0 ASA 2 access-list vpn1 extended permit ip 22.22.22.0 255.255.255.0 11.11.11.0 255.255.255.0Tell the ASA's what to nat and not nat ASA 1 and 2 nat (inside) 0 access-list donotnat nat (inside) 1 0.0.0.0 0.0.0.0
Set up your isakmp policies - 2 listed but yours may need to be different ASA 1 and ASA 2 isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 1000 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 1 isakmp policy 20 lifetime 1000
Add tunnel groups ASA 1 tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key ASA 2 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key
Add transform sets ASA 1 and ASA 2 crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto ipsec transform-set aes-md5 esp-aes-256 esp-md5-hmac
Add crypto maps for other end ASA 1 crypto map newmap 10 match address vpn1 crypto map newmap 10 set peer 2.2.2.2 crypto map newmap 10 set transform-set strong
ASA 1 crypto map newmap 10 match address vpn1 crypto map newmap 10 set peer 1.1.1.1 crypto map newmap 10 set transform-set strong
That should about do it
Also remember debug crypto isakmp etc. Very useful to see what is happening.
regards Gary
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.