L2L and Remote access VPN doc

split-tunnel-policy tunnelspecified split-tunnel-network-list value office_splitTunnelAcl username cisco password cisco rypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac c

Remote Access VPN:

Step1:

Configure the IP addresses on the ASA and laptop as shown

Step2:

Configure the ASA for remote access vpn

Code:

access-list office_splitTunnelAcl standard permit 150.0.0.0 255.0.0.0 access-list outside_nat0_outbound extended permit ip 150.0.0.0 255.0.0.0 172.16.1.0 255.255.255.240

ip local pool vpn-pool 172.16.1.1-172.16.1.10 mask 255.255.255.128 nat (outside) 0 access-list outside_nat0_outbound

group-policy office internal

group-policy office attributes

vpn-tunnel-protocol IPSec webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value office_splitTunnelAcl

username cisco password cisco

rypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set ESP-3DES-SHA crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group office type ipsec-ra

tunnel-group office general-attributes

address-pool vpn-pool

default-group-policy office

tunnel-group office ipsec-attributes

pre-shared-key cisco

Verification (only relevant output included)

From the laptop ping 150.1.1.1

Code:

Crypto map tag: outside_map, seq num: 20, local addr: 155.14.0.4

access-list outside_20_cryptomap permit ip 172.16.1.0

255.255.255.0 150.0.0.0 255.0.0.0

local ident (addr/mask/prot/port):

(172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0) current_peer: 155.14.0.1

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

inbound esp sas:

spi: 0x218BAEDC (562802396)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 20, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/3577)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x7A91211B (2056331547)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 20, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/3575)

IV size: 8 bytes

replay detection support: Y

L2L VPN

Step1:

Configure the IP addresses on the ASA and the Hub router

Step2:

Configure the ASA as follows

Code:

access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 150.0.0.0 255.0.0.0

access-list outside_20_cryptomap extended permit ip 172.16.1.0 255.255.255.0 150.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 150.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 172.16.1.0 255.255.255.0 150.0.0.0 255.0.0.0

nat (outside) 0 access-list outside_nat0_outbound

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 155.14.0.1

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 155.14.0.1 type ipsec-l2l

tunnel-group 155.14.0.1 ipsec-attributes

pre-shared-key cisco

Step2:

Configure the hub router as follows

Code:

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 155.14.0.4

crypto ipsec transform-set l2l-trn esp-3des esp-sha-hmac

!

!

crypto map l2l-map 10 ipsec-isakmp

set peer 155.14.0.4

set transform-set l2l-trn

match address 101

interface GigabitEthernet0/1

ip address 155.14.0.1 255.255.255.0

crypto map l2l-map

access-list 101 permit ip 150.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255 access-list 101 permit ip 150.0.0.0 0.255.255.255 172.16.1.0 0.0.0.255

Verification(only relevant output included)

From Laptop ping 150.2.2.2

!!!!

Code:

Router

interface: GigabitEthernet0/1

Crypto map tag: l2l-map, local addr 155.14.0.1

protected vrf: (none)

local ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) current_peer 155.14.0.4 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18

#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0) current_peer 155.14.0.4 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18

#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

ASA

Code:

interface: outside

Crypto map tag: outside_map, seq num: 20, local addr: 155.14.0.4

access-list outside_20_cryptomap permit ip 172.16.1.0

255.255.255.0 150.0.0.0 255.0.0.0

local ident (addr/mask/prot/port):

(172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (150.0.0.0/255.0.0.0/0/0) current_peer: 155.14.0.1

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments

created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0