RE: site-to-site vpn from Ryan West on 2010-10-19 (Ccielab archives 10/2010)

From: Ryan West <rwest_at_zyedge.com>
Date: Tue, 19 Oct 2010 23:32:47 +0000

Probably want to avoid port selectors when configuring a site to site tunnel, it will affect performance. Your interesting traffic ACL should read 'access-list permit ip host <your host> host <their host>. If you want to limit what comes across the tunnel, turn off sysopt permit-vpn and filter on your outside ACL.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Cisco Fanatic
Sent: Tuesday, October 19, 2010 7:25 PM
To: ccielab_at_groupstudy.com
Subject: site-to-site vpn

I am trying to configure site-to-site vpn on a ASA. I don't have access to the other side of the equipment so can't really, but the person has been generous to share the parameters which I need to configure on my end to make it work. I just have couple of hrs to get it working so that I can checklist on my things to do from my CCIE standpoint :(-.

Appreciate any help.

What I am trying to do is that there is a remote server - 66.94.3.71 and I have a local server 10.15.10.45 which should be seen by the outside world as 38.105.120.78.

[Local] ---38.105.120.66 --- INTERNET --- 97.65.105.5 -- [Remote] ---
66.94.3.71
!
!
38.105.120.78
!
[10.15.10.45]

Config
++++

name 10.15.10.45 SM-internal
name 38.105.120.78 SM-external

static (inside,outside) SM-external SM-internal netmask 255.255.255.255

object-group network mob_SM_Networks
network-object 66.94.3.71 255.255.255.255

object-group service SM tcp
port-object eq 9071

crypto isakmp enable outside

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

access-list outside_SM extended permit tcp host SM-internal host 66.94.3.71 object-group SM

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_SM crypto map outside_map 1 set peer 66.94.3.71 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 1 set security-association lifetime seconds 3600

tunnel-group 66.94.3.71 type ipsec-l2l
tunnel-group 66.94.3.71 ipsec-attributes pre-shared-key *

Thanks,
-Yuri

Blogs and organic groups at http://www.ccie.net
Received on Tue Oct 19 2010 - 23:32:47 ART

This archive was generated by hypermail 2.2.0 : Mon Nov 01 2010 - 06:42:06 ART