I have some questions and or wanted to bounce some configuration off you all
I am setting up a VPN site to site tunnel with the following information. Can some of you ASA geniuses let me know if I've messed up or missing something? I've included the other ends requirements followed by my config changes.
They will not allow our private networks to come in as private IP address and require us to hit them using public address so I created a Dynami Policy Nat Rule to translate any user to one IP address if it's hitting there gateway. (Shown as 555.555.555.555)
I appreciate any help.
Publip IP gateway: 111.111.111.111
Excryption Domain Networks: 100.200.300.400
Port: 22
PHASE 1 Tunnel Properties
PSK: xxxxxxxxx
Encryption Scheme: IKE
Diffie-Hellman Group: Group 5
Encryption Algorithm: AES 128
Hashing Algorithm: SHA
Mode: Main Mode
SA Lifetime: 3600 Seconds
PHASE 2 Tunnel Properties
Encapsulation: ESP
Encryption Algorithm: AES 128
Anthentication Algorithm: SHA
Perfect Forward Secrecy: Enabled
Diffie-Hellman Group: Group 5
SA Lifetime: 3600 Seconds
SA Limetime by Traffic: 4,608,000kbs
access-list inside_nat_outbound_2 line 1 extended permit udp any host 100.200.300.400 eq 22
nat (inside) 4 access-list inside_nat_outbound_2 tcp 0 0 udp 0
global (outside) 4 555.555.555.555 netmask 255.255.255.255
access-list inside_nat0_outbound line 13 extended permit ip 555.555.555.555 host 100.200.300.400
access-list outside_1_cryptomap line 1 extended permit ip 555.555.555.555 host 100.200.300.400
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
I am setting up a VPN site to site tunnel with the following information. Can some of you ASA geniuses let me know if I've messed up or missing something? I've included the other ends requirements followed by my config changes.
They will not allow our private networks to come in as private IP address and require us to hit them using public address so I created a Dynami Policy Nat Rule to translate any user to one IP address if it's hitting there gateway. (Shown as 555.555.555.555)
I appreciate any help.
Publip IP gateway: 111.111.111.111
Excryption Domain Networks: 100.200.300.400
Port: 22
PHASE 1 Tunnel Properties
PSK: xxxxxxxxx
Encryption Scheme: IKE
Diffie-Hellman Group: Group 5
Encryption Algorithm: AES 128
Hashing Algorithm: SHA
Mode: Main Mode
SA Lifetime: 3600 Seconds
PHASE 2 Tunnel Properties
Encapsulation: ESP
Encryption Algorithm: AES 128
Anthentication Algorithm: SHA
Perfect Forward Secrecy: Enabled
Diffie-Hellman Group: Group 5
SA Lifetime: 3600 Seconds
SA Limetime by Traffic: 4,608,000kbs
access-list inside_nat_outbound_2 line 1 extended permit udp any host 100.200.300.400 eq 22
nat (inside) 4 access-list inside_nat_outbound_2 tcp 0 0 udp 0
global (outside) 4 555.555.555.555 netmask 255.255.255.255
access-list inside_nat0_outbound line 13 extended permit ip 555.555.555.555 host 100.200.300.400
access-list outside_1_cryptomap line 1 extended permit ip 555.555.555.555 host 100.200.300.400
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
