« Bulk April Update | Main | CCIE R&S Becomes More "Real World"? »
May 4, 2009
Base Config: ASA Site-to-Site VPN
It doesn't matter how many times I've done this, I always forget one piece. Here's a template for the future:
Assume local subnet 192.168.15.0/24, remote subnet 192.168.16.0/24. Remote public IP 11.11.11.11.
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside
nat (inside) 0 access-list REMOTE_SITE
tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
pre-shared-key ***
Posted by JC at May 4, 2009 5:05 AM
Comments
For this
'access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.0.0 192.168.16.0 255.255.255.0'
Are you telling the access list to ignore the first two octetcs and make sure the last two are always the same?
If not it should be the opposite way... according to wild card masks ... ?
But judging by your assumptions up the top you're using the /24 mask, so it would be 0.0.255.255 =O
Posted by: Ben at May 5, 2009 5:22 PM
Ben - the ASA uses subnet masks rather than wildcard masks. Only routers use wildcard masks. JC's configuration is accurate.
Posted by: Franko at May 6, 2009 12:55 AM
Nice template!
Do you have similar template for Cisco router
(lets say Cisco 877) site-to-site VPN to ASA?
Thanks in advance,
Gilad
Posted by: Gilad at May 6, 2009 6:09 AM
Nice, thanx for the template I always forget something too.
BR,
AL
Posted by: Ariel at May 6, 2009 5:53 PM
hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen
Posted by: praveen at May 8, 2009 10:20 AM
hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen
Posted by: praveen at May 8, 2009 10:21 AM
hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen
Posted by: praveen at May 8, 2009 10:44 AM
Three words. VPN Tunnel Wizard! I find that if I dont use this I always forget a piece or two as well.
Cheers!
Posted by: Rob at May 12, 2009 6:31 AM
5/14/2009
Hey I was wondering if you could refer someone (or if you yourself might be interested) for a position I have available in Milwaukee WI for a certified CCIE (written & lab, must have #). This is an immediate need and we're looking for a full-time hire. Please get back to me, I can be reached at gblackman@visiongroupllc.com. Thanks.
Best Regards,
Gavin Blackman
Managing Partner / Recruiting
Vision Group Associates, LLC
gblackman@visiongroupllc.com
Posted by: Gavin Blackman at May 14, 2009 12:45 PM
Man, you are relentless. Thinking about vpn configs at 5 in the morning! ;-)
Posted by: Tom Hart at May 14, 2009 8:50 PM
Hi Jer
Greetings! I am BIIIIIGGGG Fan of yours. Got Everything you've done and put out there for us (Videos and Books). I've got them all thanks to you. a) CCENT 950 (your book & CBT) b) CCNA 975 (your book & CBT) c) CCNA-Voice 979 (Ditto). May God continue to Bless you and yours. Thanks again Jermey.
Philbert - Jamaica, NY
Posted by: Philbert at May 17, 2009 7:23 PM
Hi Jer,
Greetings! Are you likely to do any training materials for the IIUC2 (IPX) 642-145 exam. I'm so in love with the CUCME/CUE. Can't get enough of it. Addicted :)Please help again if you can. Phank you much.
Philbert - Jamaica, NY
Posted by: Philbert at May 17, 2009 7:32 PM
You've got everything he has done - books and videos? That must have been expensive.
Posted by: Anonymous at May 18, 2009 6:10 AM
Knowledge is not cheap, my friend, and most of all he makes learning enjoyable. Yes, everything that I can get my hands on. "Light bulbs" goes on in my head on topics that were once difficult to comprehend by other means. I'm very happy. Reading his books are like listening to the videos without sound :)
Philbert - Jamaica, NY
Posted by: Philbert at May 18, 2009 8:36 AM
Is that an older IOS the template is for? Doesn't the crypto map support the same sub levelness of access-lists for brevity of command input?
Posted by: Bojan Land at May 19, 2009 2:39 PM
Hi JC/Everyone,
Great site! I am trying to configure two Cisco ASA 5505 Version 8.0(2) for IPSEC site-to-site VPN using your configuration template to no success. Nothing even initiates. Would that suggest that my ASAs are broken?
Also, once connected, I would like the default route configured on the second asa (would become remote when I send it to the remote office)so that it uses the default route of the first one (basically to use the internet in the central office). Any help would be much appreciated.
Thanks,
JD
Posted by: JD at May 21, 2009 3:00 AM
Hi JC/Everyone,
Great site! I am trying to configure two Cisco ASA 5505 Version 8.0(2) for IPSEC site-to-site VPN using your configuration template to no success. Nothing even initiates. Would that suggest that my ASAs are broken?
Also, once connected, I would like the default route configured on the second asa (would become remote when I send it to the remote office)so that it uses the default route of the first one (basically to use the internet in the central office). Any help would be much appreciated.
Thanks,
JD
Posted by: JD at May 21, 2009 3:01 AM
Great job!
Thanks!
Posted by: Kan at June 3, 2009 12:41 AM
I just wanted to say thanks for posting this. I found this very easy to setup and it worked right out of the gate. You ROCK!
Posted by: Jason at June 26, 2009 5:38 PM
Just today I've met with trouble configuring l2l vpn between asa and router. The tunnel was coming up and down constantly. All of configs were correct and I was confused why this thing could happen till I noticed that asa is trying to send it's fqdn to the router as Phase2 ID (like asavpn.invalid.domain).
So, if any of you met with problem like this enter command listed below:
(config)#crypto isakmp identity address
Posted by: RuSLiX at July 20, 2009 2:45 AM
Hey Jer!
Thanks man i do appreciate all you good works.....but i have this mind bugging question that i have been wanting to ask ever since i saw your SNRS cbt nuggets video.
I know at a point you while creating EZVPN on a router, particularly while creating the real crypto Map to attached the dynamic crypto map. I might be wrong with what i heard but just curious... you said something like there might be other crypto maps existing on the router. Now my question is that is possible to have both a site-to-to vpn existing on a particular router, on top of it slam an EZVPN configs too right on the same router and with a single wan interface, say an f0/1 holds both VPN CONFIGS? If it's possible could you please tell me how!!! i must be honest about this. I am trying to configure just that for ma corporate network.
Thanks Jer!
Posted by: Teddy at July 26, 2009 9:20 AM
May be i am stupid to ask this but i want to clarify the belwo
access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
nat (inside) 0 access-list VPNTRAFFIC
access-list VPNTRAFFIC ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
can i restrict inside traffic coming from the tunnel using VPNTRAFFIC acl without disturbing Tunnel...??
Posted by: Durga at July 28, 2009 9:11 AM
I'm having a similar issue as JD above... I have two ASA 5505's and I'm attempting to join them. I have two existing Site-to-Site connections that work flawlessly, but this past week I've tried adding two more... neither of which will even initiate a connection... and unless something is wrong, I can't even see any attempts to connect in the debugging log views.
Any ideas?
Posted by: GoodThings2Life at July 28, 2009 10:52 AM
Shouldnt this be the other way: the vpn traffic is coming from the remote and should be allowed into the local site?
'access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.0.0 192.168.16.0 255.255.255.0'
Should be:
'access-list REMOTE_SITE ex permit ip 192.168.16.0 255.255.0.0 192.168.15.0 255.255.255.0'
Posted by: supruzer at December 22, 2009 11:05 AM
It sounds like you're creating problems yourself by trying to solve this issue instead of looking at why their is a problem in the first place.
Posted by: generic viagra at December 29, 2009 2:22 AM
My site, Minutekiller showcases some very funny videos. Check out "the Backup" a shotgun holder for your bed. Pretty awesome stuff.
Posted by: Issac Maez at January 4, 2010 8:02 AM
Excellent post. First time reading your blog, but I'm hooked, and I signed up through Google Reader.
Posted by: Gregory Despain at January 4, 2010 8:05 AM
Hey, if you want to know about this you should check out my last post on the subject. We could even collaborate!
Posted by: Burton Haynes at January 4, 2010 11:03 AM
Very nice site!
Posted by: Pharme192 at January 13, 2010 2:29 PM
Hello!
Posted by: prescribing at January 15, 2010 1:33 PM
Great site I’m happy I stumbled onto it through my friend’s blog. Going to need to add another blog to the morning routine
Posted by: Palmer Miskelly at January 17, 2010 8:51 AM
Hello!
Posted by: cheap_cialis at January 18, 2010 3:04 PM
Hello!
Posted by: viagra at January 18, 2010 4:09 PM
Hello!
Posted by: cheap_cialis at January 19, 2010 7:40 AM
Hello!
Posted by: viagra at January 19, 2010 12:28 PM
Hello!
Posted by: cialis at January 20, 2010 3:52 AM
Hello!
Posted by: cialis at January 21, 2010 6:37 AM
Hello!
Posted by: viagra at January 22, 2010 3:33 PM
Hello!
Posted by: xanax at January 22, 2010 3:56 PM
Hello!
Posted by: cialis at January 25, 2010 5:33 PM
Hello!
Posted by: cialis at January 26, 2010 1:13 PM
Hello!
Posted by: xanax at January 26, 2010 2:31 PM
Hello!
Posted by: cialis at January 27, 2010 5:05 AM
Very nice site!
Posted by: Pharmc604 at January 28, 2010 1:43 AM
Very nice site!
Posted by: Pharmc694 at January 28, 2010 7:35 AM
Very nice site!
Posted by: Pharmf467 at January 28, 2010 8:07 AM
Hello!
Posted by: cheap_viagra at January 28, 2010 10:19 AM
Hello!
Posted by: viagra at January 28, 2010 6:07 PM
Hello!
Posted by: cialis at January 29, 2010 7:33 AM
Hello!
Posted by: tramadol at January 30, 2010 6:41 AM
Hello!
Posted by: tramadol at February 2, 2010 6:48 PM
Hello!
Posted by: buy_cialis at February 2, 2010 11:54 PM