Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site to Site VPN Tunnel

Status
Not open for further replies.

beeceee

Technical User
May 5, 2010
5
US
I have some questions and or wanted to bounce some configuration off you all

I am setting up a VPN site to site tunnel with the following information. Can some of you ASA geniuses let me know if I've messed up or missing something? I've included the other ends requirements followed by my config changes.
They will not allow our private networks to come in as private IP address and require us to hit them using public address so I created a Dynami Policy Nat Rule to translate any user to one IP address if it's hitting there gateway. (Shown as 555.555.555.555)

I appreciate any help.

Publip IP gateway: 111.111.111.111
Excryption Domain Networks: 100.200.300.400
Port: 22

PHASE 1 Tunnel Properties
PSK: xxxxxxxxx
Encryption Scheme: IKE
Diffie-Hellman Group: Group 5
Encryption Algorithm: AES 128
Hashing Algorithm: SHA
Mode: Main Mode
SA Lifetime: 3600 Seconds

PHASE 2 Tunnel Properties
Encapsulation: ESP
Encryption Algorithm: AES 128
Anthentication Algorithm: SHA
Perfect Forward Secrecy: Enabled
Diffie-Hellman Group: Group 5
SA Lifetime: 3600 Seconds
SA Limetime by Traffic: 4,608,000kbs

access-list inside_nat_outbound_2 line 1 extended permit udp any host 100.200.300.400 eq 22
nat (inside) 4 access-list inside_nat_outbound_2 tcp 0 0 udp 0
global (outside) 4 555.555.555.555 netmask 255.255.255.255



access-list inside_nat0_outbound line 13 extended permit ip 555.555.555.555 host 100.200.300.400
access-list outside_1_cryptomap line 1 extended permit ip 555.555.555.555 host 100.200.300.400
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
 
They aren't, however I did manage to figure this one out. I made the configuration more concise, using the same crypto map for both types of connections and baom, they both came up without issue. Thank you for looking at my problem.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top