Back on my Cisco ASA I now needed to work out how to build an IPSEC tunnel to a customer and then make sure that the traffic to that subnet is not subject to the Dynamic PAT I have for my inside network.
Setting up a Site to Site IPSEC VPN with the ASA is different to using a IOS router for example, the concepts remain the same but the order and way you do it are different.
First I will define two network objects for my network and my remote network.
object network Remote
subnet 10.17.0.0 255.255.255.192
object network CSCM
subnet 172.22.0.0 255.255.255.240
Next comes a series of crypto commands for the IPSEC tunnel
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
There are several other transform sets that can be created but for brevity I have only included the ones that I am using.
access-list acl-crypto-remote extended permit ip 172.22.0.0 255.255.255.240 object Remote
This is an ACL to match the traffic from my network to the remote network.
crypto map crypto-map-remote 1 match address acl-crypto-remote
This will match the interesting traffic from my network to the remote network and assign this to the crypto map.
crypto map crypto-map-remote 1 set peer 195.xx.xx.xx
Set the peer address for the remote network WAN IP.
crypto map crypto-map-remote set ikev1 transform-set ESP-3DES-SHA ESP-3DES-MD5
This enables the crypto map to use the transform sets we defined earlier.
crypto map crypto-map-remote interface Internet
Similar to IOS here we are adding the crypto map to the Internet interface so matching traffic is encapsulated.
crypto ikev1 enable Internet
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
This sets the IKE Policy for the tunnel on the Internet Interface with the correct Phase 1 settings for our remote site.
group-policy GroupPolicy_195.xx.xx.xx internal
group-policy GroupPolicy_195.xx.xx.xx attributes
vpn-tunnel-protocol ikev1
Here we setup a Group Policy for VPN settings, this specifies that the type is internal and that the tunnel type is a IKE version 1 tunnel.
tunnel-group 195.xx.xx.xx type ipsec-l2l
tunnel-group 195.xx.xx.xx general-attributes
default-group-policy GroupPolicy_195.xx.xx.xx
tunnel-group 195.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key ******
Finally we assign this as an IPSEC Site to Site Tunnel or ipsec-l2l, then we assign the Group Policy we created to this tunnel and the pre shared key we are using.
Trouble shooting this can be tricky and so I recommend the following commands to help
show crypto ipsec sa
show crypto ikev1 sa
show logging
You can get a really good log view with the ASDM for this type of configuration, it beats the SSH or console view in my opinion.
No comments:
Post a Comment