Joseph, champion - works great now.
I owe you a beer/social beverage of choice.
Cheers
Martin
On Fri, May 14, 2010 at 7:34 AM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:
> Yes, this is quite basic to do; the group matching ike feature is quite
> powerful and knows what to authenticate who and apply policy against;
>
> Check it-
>
> (this a change request to add dynamic ipsec l2l to an existing asa/pix with
> dynamic clients;
>
> Task 1: Configure nat bypass on Colo Firewall
>
> 1. Remove static nat
>
> access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 192.168.225.0
> 255.255.255.0
>
> Task 2: Configure dynamic crypto map entry and policies to permit ASA 5505
> client connections
>
> 1. Choose ESP-AES-128-SHA (much better in CPU than 3DES/MD5)
>
> crypto isakmp policy 10
> authentication pre-share
> encryption aes
> hash sha
> group 2
> lifetime 86400
>
> crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
>
> 2. Configure dynamic crypto map entry
>
> crypto dynamic-map dyn-remote 10 set transform-set ESP-AES-128-SHA
> crypto dynamic-map dyn-remote 10 set reverse-route
>
> 3. Create pointer in main Crypto ACL to dynamic rule for ASA 5505's
>
> crypto map outside_map 65534 ipsec-isakmp dynamic dyn-remote
>
> 4. Configure Default Lan to Lan group with pre-shared-key
>
> tunnel-group DefaultL2LGroup ipsec-attributes
> pre-share-key <preshare key>
>
> here is the total conf; (its doing static l2l, dynamic l2l, and dynamic
> client)
Blogs and organic groups at http://www.ccie.net
Received on Fri May 14 2010 - 13:04:42 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:53 ART