CiscoASA‎ > ‎

Template: VPN

Dynamic VPN (aka, remote VPN) template

access-list vpn_dyn perm ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_dyn perm ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool remote_users 192.168.1.1-192.168.1.254

group-policy remote internal
group-policy remote attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value vpn_dyn

crypto ipsec transform-set AES-SHA-HMAC esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set AES-SHA-HMAC
crypto map public_map 10000 ipsec-isakmp dynamic dynmap
crypto map public_map interface outside
crypto isakmp identity address
crypto isakmp enable outside

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800

tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
 address-pool remote_users
 default-group-policy remote

tunnel-group remote ipsec-attributes
 pre-shared-key mypresharedkey


Don't forget to setup nonat for 192.168.1.0 255.255.255.0



LAN-to-LAN (peer to peer) VPN

Sample Config:

<define crypto30 as interesting traffic using crypto30_remote and crytpo30_local object groups> crypto map map1 30 set peer 8.8.8.1 crypto map map1 30 set transform-set 3DES-SHA-HMAC crypto map map1 30 match address crypto30 tunnel-group 8.8.8.1 type ipsec-l2l tunnel-group 8.8.8.1 ipsec-attributes pre-shared-key * isakmp policy 5 authentication pre-share isakmp policy 5 encryption aes-256 isakmp policy 5 hash sha isakmp policy 5 group 2

Reset VPN tunnel

clear isakmp sa clear crypto isakmp sa

Comments