Versions Compared

Old Version 3

changes.mady.by.user Adam Melong

Saved on

compared with

New Version 4

changes.mady.by.user Adam Melong

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Table of Contents

ASA

How to configure VPN

How to configure VPN

Site-Site

  1. Define the Networks
  2. Create the Crypto Map ACL
  3. Create the No-Nat ACL (Networks/hosts to which the packets should not be changed)
  4. Apply the No-NAT
  5. Create a Transform set
  6. Create the Crypto Map
  7. Enable isakmp on interface
  8. Create isakmp policies
  9. Create policy for Tunnel-Group (Site-Site hosts)
  10. Apply Tunnel-Group and Attributes
Code Block
object-group network Remote_VPN
 network-object 10.10.10.0 255.255.255.0
 network-object 10.20.20.0 255.255.255.0
object-group network Remote_Internal
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.2.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
 network-object 172.16.4.0 255.255.255.0
 network-object 172.18.0.0 255.255.0.0
object-group network Remote_Combined
 group-object Remote_VPN
 group-object Remote_Internal


access-list outside_cryptomap_1 extended permit ip 172.32.100.0 255.255.255.0 object-group 4POINT_ACCESS
access-list VPNNONAT extended permit ip 172.32.100.0 255.255.255.0 object-group 4POINT_ACCESS
nat (inside) 0 access-list VPNNONAT
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map MELONGCryptoMaps 1 match address outside_cryptomap_1
crypto map MELONGCryptoMaps 1 set peer 66.46.186.170
crypto map MELONGCryptoMaps 1 set transform-set ESP-AES-256-SHA
crypto map MELONGCryptoMaps interface outside
crypto isakmp enable outside
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy Site2Site internal
group-policy Site2Site attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 66.46.186.170 type ipsec-l2l
tunnel-group 66.46.186.170 general-attributes
default-group-policy Site2Site
tunnel-group 66.46.186.170 ipsec-attributes
pre-shared-key melongP@$$

Configure Split-DNS Resolution

Code Block
ciscoasa# config t
ciscoasa(config)# group-policy POLICY attributes
ciscoasa(config-group-policy)# split-dns value internal.local extenral.com

Troubleshooting

Debugs debug ISAKMP SA negotiations:

debug crypto isakmp sa <debug level>

Password Recovery

Performing Password Recovery for the ASA 5500 Series Adaptive Security Appliance

...