8/22/2017 Cisco ASA Site-to-Site VPN Configs

Cisco ASA Site-to-Site VPN Configs

This document contains the configuration settings for each of two Cisco ASA
Security Appliances in a site-to-site VPN configuration, based on the following
diagram. These are not complete configs for the appliance, they're just the VPN
portion of the config. The configuration is based on ASA software version 8.3 and
will not work with earlier versions.

This is the companion documentation for our video Cisco ASA Site-to-Site VPN
Configuration.

Note: The diagram and configs are for use in a lab setting. In the real world,
each ASA will have a different gateway address and it won't be a private
address such as the one indicated here. You must modify your settings
before using these configs in the real world.

The diagram is at the bottom of this document.

Configurations

ASA01

object network net-local

subnet 192.168.101.0 255.255.255.0
object network net-remote
subnet 192.168.102.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.101.0 255.255.255.0
192.168.102.0 255.255.255.0
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.12
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

ASA02

object network net-local

subnet 192.168.102.0 255.255.255.0
object network net-remote
subnet 192.168.101.0 255.255.255.0
access-list outside_1_cryptomap permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
pre-shared-key pass1234
isakmp keepalive threshold 10 retry 2
crypto isakmp enable outside
https://www.soundtraining.net/i-t-tutorials/cisco-tutorials/47-cisco-asa-site-to-site-vpn-configs 1/2
crypto isakmp policy 10 authentication pre-share
8/22/2017 Cisco ASA Site-to-Site VPN Configs

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 192.168.0.11
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote
route outside 0 0 192.168.0.1

Outstanding IT Resources, Now Available for You to Purchase

These are books based on soundtraining.net's accelerated training programs. When you can't attend the training, you can
get the books.

https://www.soundtraining.net/i-t-tutorials/cisco-tutorials/47-cisco-asa-site-to-site-vpn-configs 2/2