Skip to Content

Base Config: ASA Site-to-Site VPN

It doesn't matter how many times I've done this, I always forget one piece. Here's a template for the future:

Assume local subnet 192.168.15.0/24, remote subnet 192.168.16.0/24. Remote public IP 11.11.11.11.

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 1
 lifetime 28800

access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map OUTSIDE_MAP 20 match address REMOTE_SITE
crypto map OUTSIDE_MAP 20 set pfs group1
crypto map OUTSIDE_MAP 20 set peer 11.11.11.11
crypto map OUTSIDE_MAP 20 set transform-set ESP-AES-128-SHA
crypto map OUTSIDE_MAP 20 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

nat (inside) 0 access-list REMOTE_SITE

tunnel-group 11.11.11.11 type ipsec-l2l
tunnel-group 11.11.11.11 ipsec-attributes
 pre-shared-key ***

Your rating: None Average: 5 (1 vote)

Comments

For this 'access-list

For this
'access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.0.0 192.168.16.0 255.255.255.0'
Are you telling the access list to ignore the first two octetcs and make sure the last two are always the same?
If not it should be the opposite way... according to wild card masks ... ?
But judging by your assumptions up the top you're using the /24 mask, so it would be 0.0.255.255 =O

Ben - the ASA uses subnet

Ben - the ASA uses subnet masks rather than wildcard masks. Only routers use wildcard masks. JC's configuration is accurate.

Nice template! Do you have

Nice template!
Do you have similar template for Cisco router
(lets say Cisco 877) site-to-site VPN to ASA?
Thanks in advance,
Gilad

Nice, thanx for the template

Nice, thanx for the template I always forget something too.
BR,
AL

hey ,jeremy great job i am

hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen

hey ,jeremy great job i am

hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen

hey ,jeremy great job i am

hey ,jeremy great job i am great fan of u..
i dont know where to post it, so i am posting it here.
you explain the stuffs so easyly today i am ccna that whole i contribute to you. now i am preparing for my ccsp one disappointing that snpa or snaf is not yours i hope soon you will make those videos too.
i can fill this page but i no this is not the rit place. jeremy can i have your e mail id , u asked in your ccna voice that does in india really telephone wires are like that yes it is i am from india.. learning with you is fun and great..
keep it up ,
Thanks
Praveen

Three words. VPN Tunnel

Three words. VPN Tunnel Wizard! I find that if I dont use this I always forget a piece or two as well.
Cheers!

5/14/2009 Hey I was wondering

5/14/2009
Hey I was wondering if you could refer someone (or if you yourself might be interested) for a position I have available in Milwaukee WI for a certified CCIE (written & lab, must have #). This is an immediate need and we're looking for a full-time hire. Please get back to me, I can be reached at gblackman@visiongroupllc.com. Thanks.
Best Regards,
Gavin Blackman
Managing Partner / Recruiting
Vision Group Associates, LLC
gblackman@visiongroupllc.com

Man, you are relentless.

Man, you are relentless. Thinking about vpn configs at 5 in the morning! ;-)

Hi Jer Greetings! I am

Hi Jer
Greetings! I am BIIIIIGGGG Fan of yours. Got Everything you've done and put out there for us (Videos and Books). I've got them all thanks to you. a) CCENT 950 (your book & CBT) b) CCNA 975 (your book & CBT) c) CCNA-Voice 979 (Ditto). May God continue to Bless you and yours. Thanks again Jermey.
Philbert - Jamaica, NY

Hi Jer, Greetings! Are you

Hi Jer,
Greetings! Are you likely to do any training materials for the IIUC2 (IPX) 642-145 exam. I'm so in love with the CUCME/CUE. Can't get enough of it. Addicted :)Please help again if you can. Phank you much.
Philbert - Jamaica, NY

You've got everything he has

You've got everything he has done - books and videos? That must have been expensive.

Knowledge is not cheap, my

Knowledge is not cheap, my friend, and most of all he makes learning enjoyable. Yes, everything that I can get my hands on. "Light bulbs" goes on in my head on topics that were once difficult to comprehend by other means. I'm very happy. Reading his books are like listening to the videos without sound :)
Philbert - Jamaica, NY

Is that an older IOS the

Is that an older IOS the template is for? Doesn't the crypto map support the same sub levelness of access-lists for brevity of command input?

Hi JC/Everyone, Great site! I

Hi JC/Everyone,
Great site! I am trying to configure two Cisco ASA 5505 Version 8.0(2) for IPSEC site-to-site VPN using your configuration template to no success. Nothing even initiates. Would that suggest that my ASAs are broken?
Also, once connected, I would like the default route configured on the second asa (would become remote when I send it to the remote office)so that it uses the default route of the first one (basically to use the internet in the central office). Any help would be much appreciated.
Thanks,
JD

Hi JC/Everyone, Great site! I

Hi JC/Everyone,
Great site! I am trying to configure two Cisco ASA 5505 Version 8.0(2) for IPSEC site-to-site VPN using your configuration template to no success. Nothing even initiates. Would that suggest that my ASAs are broken?
Also, once connected, I would like the default route configured on the second asa (would become remote when I send it to the remote office)so that it uses the default route of the first one (basically to use the internet in the central office). Any help would be much appreciated.
Thanks,
JD

Great job! Thanks!

Great job!
Thanks!

I just wanted to say thanks

I just wanted to say thanks for posting this. I found this very easy to setup and it worked right out of the gate. You ROCK!

Just today I've met with

Just today I've met with trouble configuring l2l vpn between asa and router. The tunnel was coming up and down constantly. All of configs were correct and I was confused why this thing could happen till I noticed that asa is trying to send it's fqdn to the router as Phase2 ID (like asavpn.invalid.domain).
So, if any of you met with problem like this enter command listed below:
(config)#crypto isakmp identity address

Hey Jer! Thanks man i do

Hey Jer!
Thanks man i do appreciate all you good works.....but i have this mind bugging question that i have been wanting to ask ever since i saw your SNRS cbt nuggets video.
I know at a point you while creating EZVPN on a router, particularly while creating the real crypto Map to attached the dynamic crypto map. I might be wrong with what i heard but just curious... you said something like there might be other crypto maps existing on the router. Now my question is that is possible to have both a site-to-to vpn existing on a particular router, on top of it slam an EZVPN configs too right on the same router and with a single wan interface, say an f0/1 holds both VPN CONFIGS? If it's possible could you please tell me how!!! i must be honest about this. I am trying to configure just that for ma corporate network.
Thanks Jer!

May be i am stupid to ask

May be i am stupid to ask this but i want to clarify the belwo
access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
nat (inside) 0 access-list VPNTRAFFIC
access-list VPNTRAFFIC ex permit ip 192.168.15.0 255.255.255.0 192.168.16.0 255.255.255.0
can i restrict inside traffic coming from the tunnel using VPNTRAFFIC acl without disturbing Tunnel...??

I'm having a similar issue as

I'm having a similar issue as JD above... I have two ASA 5505's and I'm attempting to join them. I have two existing Site-to-Site connections that work flawlessly, but this past week I've tried adding two more... neither of which will even initiate a connection... and unless something is wrong, I can't even see any attempts to connect in the debugging log views.
Any ideas?

Shouldnt this be the other

Shouldnt this be the other way: the vpn traffic is coming from the remote and should be allowed into the local site?
'access-list REMOTE_SITE ex permit ip 192.168.15.0 255.255.0.0 192.168.16.0 255.255.255.0'
Should be:
'access-list REMOTE_SITE ex permit ip 192.168.16.0 255.255.0.0 192.168.15.0 255.255.255.0'

Dear Jerm, Can u explain me

Dear Jerm,
Can u explain me WHATs RRI...??? and what is the advantage??



Dr. Radut | blog