Thursday, August 23, 2012

Configuring ASA, SITE TO SITE VPN, Example

Configuring ASA, SITE TO SITE VPN, Example




Head office  ASA Configuration
Interface
E0/0
E0/1

IP Address
100.100.100.1
192.168.1.1

Net mask
255.255.255.0
255.255.255.0

Branch Office ASA Configuration
Interface
E0/0
E0/1

IP Address
100.100.100.2
192.168.2.1

Net mask
255.255.255.0
255.255.255.0

R3 ROUTER
Interface
E1/0


IP Address
192.168.1.10


Net mask
255.255.255.0


R4 ROUTER

Interface
E1/0


IP Address
192.168.2.10


Net mask
255.255.255.0
















Head office  ASA Configuration

HO# show run
: Saved
:
ASA Version 8.0(2)
!
hostname HO
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.1 255.255.255.0
no shut

!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
no shut

!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list lan1-to-lan2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 100.100.100.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set asa1ts esp-aes-192 esp-sha-hmac
crypto map asa1vpn 10 match address lan1-to-lan2
crypto map asa1vpn 10 set peer 100.100.100.2
crypto map asa1vpn 10 set transform-set asa1ts
crypto map asa1vpn 10 set security-association lifetime seconds 36000
crypto map asa1vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
 pre-shared-key  123456
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
HO#

Branch Office ASA Configuration

BO# show run
: Saved
:
ASA Version 8.0(2)
!
hostname BO
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.0
no shut

!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
no shut
 !
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list lan2-to-lan1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat
route outside 0.0.0.0 0.0.0.0 100.100.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set asa2ts esp-aes-192 esp-sha-hmac
crypto map asa2vpn 10 match address lan2-to-lan1
crypto map asa2vpn 10 set peer 100.100.100.1
crypto map asa2vpn 10 set transform-set asa2ts
crypto map asa2vpn 10 set security-association lifetime seconds 36000
crypto map asa2vpn interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
!
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
 pre-shared-key  123456
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
BO#

R3 ROUTER CONFIGURATION
interface Ethernet1/0
 ip address 192.168.1.10 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 192.168.1.1

R4 ROUTER CONFIGURATION
interface Ethernet1/0
 ip address 192.168.2.10 255.255.255.0
no shut
 ip route 0.0.0.0 0.0.0.0 192.168.2.1
 

Now ping from R3 ROUTER to R4 ROUTER
R3#ping 192.168.2.10
Now ping from R4 ROUTER to R3 ROUTER
R4#ping 192.168.1.10

Verifying
HO# show crypto isakmp sa

BO# show crypto isakmp sa
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)