Template: VPN

CiscoASA‎ > ‎

Dynamic VPN (aka, remote VPN) template

access-list vpn_dyn perm ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_dyn perm ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

ip local pool remote_users 192.168.1.1-192.168.1.254

group-policy remote internal
group-policy remote attributes
vpn-idle-timeout none
vpn-session-timeout none
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_dyn

crypto ipsec transform-set AES-SHA-HMAC esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set AES-SHA-HMAC
crypto map public_map 10000 ipsec-isakmp dynamic dynmap
crypto map public_map interface outside
crypto isakmp identity address
crypto isakmp enable outside

isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800

tunnel-group remote type ipsec-ra
tunnel-group remote general-attributes
address-pool remote_users
default-group-policy remote

tunnel-group remote ipsec-attributes
pre-shared-key mypresharedkey

Don't forget to setup nonat for 192.168.1.0 255.255.255.0

LAN-to-LAN (peer to peer) VPN

Sample Config:

<define crypto30 as interesting traffic using crypto30_remote and crytpo30_local object groups>
crypto map map1 30 set peer 8.8.8.1
crypto map map1 30 set transform-set 3DES-SHA-HMAC
crypto map map1 30 match address crypto30
tunnel-group 8.8.8.1 type ipsec-l2l
tunnel-group 8.8.8.1 ipsec-attributes
 pre-shared-key *
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2

Reset VPN tunnel

clear isakmp sa
clear crypto isakmp sa

Comments

	Search this site