Background information
Have two sites which require a L2L VPN tunnel. One is a head office/data center location running a ASA firewall and the other one is a remote branch office using a Cisco Router. The config covered below assumes that both the router and the firewall already have a basic working configuration. Details below:
Remote Office
Location: Badell, Singapore
Device: 1841 with adventerprisek9-m 12.4(25d)
LAN: 10.251.6.0 /23
WAN: 124.66.16.231
Head Office
Location: Sydney, Australia
Device: ASA 5540 with ASA software v 8.2(2)
LAN: all private ranges
WAN: 203.38.18.222
STEP 1 - ACL
An access list needs to be created in order to match traffic which needs to be sent via the VPN tunnel, this ACL will be referenced in our crypto map. In this particular example we don't require a split tunnel as all traffic is designed to go to via head office, this makes the ACL much simpler.
access-list 100 permit ip 10.251.6.0 0.0.1.255 10.180.0.0 0.0.255.255
access-list 100 permit ip 10.251.6.0 0.0.1.255 10.177.0.0 0.0.255.255
This ACL will match the traffic coming from the local subnet to the two destination subnets and send it via the tunnel (in a line listed below). One thing to note is that the ACLs on both ends must match (i.e. ASA ACL must match in reverse) or the tunnel wont work properly.
STEP 2 - ISAKMP Policy
In this step we need to exactly (except for policy ID) match the attributes to what we selected in the ASA. Obviously the IP address is the outside address of the ASA (changed in this example)
crypto isakmp policy 35
encr aes
authentication pre-share
group 5
cypto isakmp key ***** address 203.38.18.222
STEP 3 - ISAKMP Policy
In this step we match the tansform set that we specified in the ASA. This transform set will be referenced in our crypto map.
crypto ipsec transform-set LABRADOR esp-aes esp-sha-hmac
crypto ipsec transform-set LABRADOR esp-aes esp-sha-hmac
STEP 4 - Crypto Map
No comments:
Post a Comment