Cisco ASA Firewall Site to Site IPSEC VPN configuration

by Ras 23. January 2012 16:16

Here is a basic site to site vpn template on a Cisco ASA firewall:

Assume local subnet 192.168.10.0/24, remote subnet 192.168.12.0/24. Remote public IP 110.11.11.11.

## Phase one isakmp

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800

## acl for interested traffic

access-list REMOTE_SITE ex permit ip 192.168.10.0 255.255.255.0 192.168.12.0 255.255.255.0

## specify transform protocols in order

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

## Set up the main ipsec vpn configuration on outside interface

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 110.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

## Excempt vpn traffic from nat

nat (inside) 0 access-list REMOTE_SITE

## Specify the type of vpn on the tunnel group

tunnel-group 110.11.11.11 type ipsec-l2l
tunnel-group 110.11.11.11 ipsec-attributes
pre-shared-key ***

Tags:

Cisco | Security

E-Mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0)

Add comment

  Country flag

biuquote
  • Comment
  • Preview
Loading

About the author

Ras is a network/Security professional working on multiple areas with multiple certificates like CCNP, CCIP, CCSP, CCSA, CCSE, LPI, PM, IPv6, ..

Month List