Skip to main content

How to configure Site-to-Site VPN on Cisco ASA?

How to configure Site-to-Site VPN on Cisco ASA?

Access-Lists
Add the ACLs which we will need to NAT, the encryption domain and the group policy.
access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80
access-list Example_Policy_ACL extended deny ip any any
access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN
Group Policy
Create your group policy which will restrict traffic between hosts within your encryption domain.
group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value Example_Policy_ACL
default-group-policy Example_Policy
NAT
Add your No NAT for traffic within the encryption domain
nat (outside) 0 access-list Example_VPN_ACL
Tunnel Group
Create your tunnel group which will include your pre-shared key.
tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
default-group-policy Example_Policy
tunnel-group [Peer IP] ipsec-attributes
pre-shared-key [pre-share key]
Phase 1
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption [?]
hash [?]
group [?]
lifetime [secs]
Phase 2
crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set [transform set]
crypto map outside 20 match address Example_VPN_ACL
crypto map outside 20 set peer [Peer IP]
crypto map outside 20 set security-association lifetime seconds [secs]
Labels:

Comments

Post a Comment

Popular posts from this blog

How to modify SSH/HTTP/Telnet time out in Cisco ASA firewall?

How to modify SSH/HTTP/Telnet time out in Cisco ASA firewall? By default tcp idle timeout is 1:0:0 hh:mm:ss. If in case you need to modify it you can do it by MPF (Modular Policy Framework). Let us setup a custom timeout when traffic is coming from particular host 10.77.241.129. !— Match the traffic using the access-list —! object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq ssh port-object eq telnet access-list outside_mpc extended permit tcp host 10.77.241.129 <source ip> any object-group DM_INLINE_TCP_1 !— Define the class map Cisco-class –! class-map Cisco-class match access-list outside_mpc !— Call this class-map into policy map and set the connection reset after 10 min when traffic is coming from particular host —! policy-map Cisco-policy class Cisco-class set connection timeout idle 0:10:00 reset !— Apply the policy-map Cisco-policy on the interface. —! service-policy Cisco-p...
Post a Comment
Read more

Checkpoint firewall common commands part 2

Checkpoint firewall common commands part 2 For basic firewall informaton gathering: fgate stat -Status and statistics of Flood-Gate-1. fwaccel <stat|stats|conns>  – View status, statistics or connection table of SecureXL. fw getifs -Show list of configured interfaces with IP and netmask. cpstat <app_flag> [-f flavour] -View OS, HW and CP application status. Issue cpstat without any options to see all possible application flags <app_flag> and corresponding flavours. Examples: cpstat fw -f policy – verbose policy info cpstat os -f cpu – CPU utilization statistics cpinfo -y all   -List all installed patches and hotfixes. cpd_sched_config print -Show task scheduled with CPD scheduler. enabled_blades -View enabled software blades avsu_client [-app <app>]   , get_version <app>  -Get signature version and status of content security .Without the -app option “Anti Virus” is used. show co...
Post a Comment
Read more

CLI Commands for Troubleshooting FortiGate Firewalls

CLI Commands for Troubleshooting FortiGate Firewalls 2015-12-21 Fortinet , Memorandum , Network Cheat Sheet , CLI , FortiGate , Fortinet , Quick Reference , SCP , Troubleshooting Johannes Weber This blog post is a list of common troubleshooting commands I am using on the FortiGate CLI . It is not complete nor very detailled, but provides the basic commands for troubleshooting network related issues that are not resolvable via the GUI. I am not focused on too many memory, process, kernel, etc. details. These must only be used if there are really specific problems. I am more focused on the general troubleshooting stuff. I am using it personally as a cheat sheet / quick reference and will update it from time to time. Coming from Cisco, everything is “show”. With Fortinet you have the choice confusion between show | get | diagnose | execute . Not that easy to remember. It is “ get router info6 routing-table” to show the routing table but “ diagn...
Post a Comment
Read more