This part will cover the setup of a two ASA using versions 8.2 and 8.3. Part 2 will add a Watchguard Firebox will be added to the ASA Site 2 Site VPN as a Branch Office VPN BOVPN.
All setup for the ASA will be done using CLI, for the Watchguard will be using GUI since current version won’t support CLI.
Topology will be ASA A <-> ASA B for Part 1. We will use a DIA Metro E for one of the ASA and DSL with Static IP using PPPOE for the second ASA.
This setup covers only the setup part related with Site 2 Site VPN rest of the configuration was skip.
HQ Setup
: Saved
:
HostName ASA_HQ
ASA Version 8.3(2)
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 72.14.253.226 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
object network vpn-local
host 10.1.1.15
object network vpn-remote
host 192.168.1.240
access-list acl_vpn_asa2asa extended permit ip host 10.1.1.15 host 192.168.1.240
nat (inside,any) source static vpn-local vpn-local destination static vpn-remote vpn-remote
!
crypto ipsec transform-set set_asa2asa esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map map_asa2asa 10 match address acl_vpn_asa2asa
crypto map map_asa2asa 10 set pfs group5
crypto map map_asa2asa 10 set peer 207.46.197.32
crypto map map_asa2asa 10 set transform-set set_asa2asa
crypto map map_asa2asa interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 207.46.197.32 type ipsec-l2l
tunnel-group 207.46.197.32 ipsec-attributes
pre-shared-key THIS_MUST_BE_THE_SAME_ON_EACH_ASA
!
: end
Brach Setup
: Saved
:
HostName ASA_Branch
ASA Version 8.2(3)
!
interface Ethernet0/0
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group BellSouth
ip address pppoe setroute
!
access-list acl_vpn_asa2asa extended permit ip host 192.168.1.240 host 10.1.1.15
!
nat (inside) 0 access-list acl_vpn_asa2asa
!
crypto ipsec transform-set set_asa2asa esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map map2firebox 10 match address acl_vpn_asa2asa
crypto map map2firebox 10 set pfs group5
crypto map map2firebox 10 set peer 72.14.253.226
crypto map map2firebox 10 set transform-set set_asa2asa
crypto map map2firebox interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
!
vpdn group BellSouth request dialout pppoe
vpdn group BellSouth localname dummy@matostech.com
vpdn group BellSouth ppp authentication pap
vpdn username dummy@matostech.com password MatosTech store-local
dhcpd auto_config outside
!
tunnel-group 72.14.253.226 type ipsec-l2l
tunnel-group 72.14.253.226 ipsec-attributes
pre-shared-key THIS_MUST_BE_THE_SAME_ON_EACH_ASA
!
: end
Subscribe to:
Post Comments (Atom)
Great remarkable things here. I am very glad to look your article. Thank you a lot and I am taking a look ahead to touch you. Will you kindly drop me a mail?
ReplyDeleteWallace Sir Christopher Hostess Helper Pasta Server
You made some clear points there. I looked on the internet for the subject and found most people will agree with your website.
ReplyDelete!#: Sorel Women's Helen Of Tundra Boot... The Cheapest