In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.
Also included within this example is a group-policy (named "Example_Policy") which we restrict access between the 2 endpoints to just tcp/80 traffic.
Please Note : This example presumes that you have already created the object groups for Local_LAN and Remote_LAN.
Access-Lists
Add the ACLs which we will need to NAT, the encryption domain and the group policy.
access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80
access-list Example_Policy_ACL extended deny ip any any
access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN
Group Policy
Create your group policy which will restrict traffic between hosts within your encryption domain.
group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value Example_Policy_ACL
default-group-policy Example_Policy
NAT
Add your No NAT for traffic within the encryption domain
nat (outside) 0 access-list Example_VPN_ACL
Tunnel Group
Create your tunnel group which will include your pre-shared key.
tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
default-group-policy Example_Policy
tunnel-group [Peer IP] ipsec-attributes
pre-shared-key [pre-share key]
Phase 1
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption [?]
hash [?]
group [?]
lifetime [secs]
Phase 2
crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set [transform set]
crypto map outside 20 match address Example_VPN_ACL
crypto map outside 20 set peer [Peer IP]
crypto map outside 20 set security-association lifetime seconds [secs]
Also included within this example is a group-policy (named "Example_Policy") which we restrict access between the 2 endpoints to just tcp/80 traffic.
Please Note : This example presumes that you have already created the object groups for Local_LAN and Remote_LAN.
Access-Lists
Add the ACLs which we will need to NAT, the encryption domain and the group policy.
access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80
access-list Example_Policy_ACL extended deny ip any any
access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN
Group Policy
Create your group policy which will restrict traffic between hosts within your encryption domain.
group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value Example_Policy_ACL
default-group-policy Example_Policy
NAT
Add your No NAT for traffic within the encryption domain
nat (outside) 0 access-list Example_VPN_ACL
Tunnel Group
Create your tunnel group which will include your pre-shared key.
tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
default-group-policy Example_Policy
tunnel-group [Peer IP] ipsec-attributes
pre-shared-key [pre-share key]
Phase 1
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption [?]
hash [?]
group [?]
lifetime [secs]
Phase 2
crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set [transform set]
crypto map outside 20 match address Example_VPN_ACL
crypto map outside 20 set peer [Peer IP]
crypto map outside 20 set security-association lifetime seconds [secs]
No comments:
Post a Comment