Understanding Cisco ASA firewall VPN tunnels (keep it simple when your just getting started part 2)
To continue our simplified vpn tunnel series, this time we are looking at Cisco ASA firewall vpn tunnels.
Here’s our basic config
ASA’s use nat 0 statements to bypass nat for traffic using the vpn tunnel.
! dont forget to deny nat for the private to private in your nat acl
access-list no-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255
(where 192.168.1.0/24 is the LOCAL network)
(! create crypto acl to match tunnel traffic
access-list to-site2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
! create phase 1 policy
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
! configure pre-shared key (note your external vpn peer ip is specified)
tunnel-group 12.140.190.10 type ipsec-l2l
tunnel-group 12.140.190.10 ipsec-attributes
pre-shared-key s3Cr3T!!k3y
! configure phase 2 transform
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
! enable ike on the ASA’s outside interface (if not done already);
crypto isakmp enable outside
! configure crypto map, we’ll use sequence 100 so we can put some peers
! before this sequence should we have to later :)
crypto map outside_crypto_map 100 match address to-site2
crypto map outside_crypto_map 100 set peer 12.140.190.10
crypto map outside_crypto_map 100 set transform-set ESP-AES-128-SHA
! Apply the crypto map on the outside interface (our your outgoing interface name if you do not use the name “outside”)
crypto map outside_crypto_map interface outside
Major gotcha’s
1. Make sure your firewall uses the outgoing interface (the one that has the crypto map applied) to get to your vpn’s peer’s destination network (usually the default route satisfies this condition)
2. Make sure you do not nat vpn traffic (nat 0 statments must be defined in most cases)
3. Make sure no other existing vpn overlaps your destination network (i.e. in this example 192.168.2.0/24 as a destination is UNIQUE to site2.
-Joe
#19366
