How to configure Site to Site VPN on a Cisco

ASA
AID: 1276
StatusPublished
12,775 points
Jay_Gridley
ypeutorial
Posted on2!!"#!$#!% at !%:&%:!2
A'ards
(o))unity Pi*+
,-perts ,-*han.e Appro/ed
How to configure Site to Site VPN on a Cisco ASA. (version: 1.1 - updated August 6, 2009)
Inde-
0Pre1a*e2
13 0Introdu*tion2
23 0he situation2
&3 0Gettin. started2
%3 0Interestin. tra11i*2
53 04A!2
63 0rans1or)#sets2
73 0(rypto )ap2
$3 0Isa+)p poli*y2
"3 0unnel#.roup2
1!3 05rap#up2
66 title760Pre1a*e2
####################
628oo+in. throu.h the 9uestions as+ed here at ,-perts#,-*han.e, I noti*ed that e/en
thou.h the ASA has i)pro/ed a lot in ter)s o1 a**essibility 1or ne' users, there are still a
lot o1 9uestions as+ed about settin. up :P4;s3 here is a lot to be said about :P4;s and
the di11erent types o1 :P4: site to site, re)ote a**ess IPSe*, *lient#less, SS8, D<:P4333
It 'ould be di11i*ult to add all the spe*i1i*s at on*e3 =ut to a**o))odate those 'ho are
ne' to ASA;s I 1i.ured it )i.ht be help1ul to ha/e a point to .et started3
So I de*ided to 'rite a ho' to, on ho' to .et started on the )ost basi* o1 :P4;s>
*on1i.urin. a site to site :P4 1ro) the (8I, 'ith des*riptions 1or ea*h step3 ?ope1ully I
'ill be able to pro/ide ne' ASA users 'ith a pla*e to .et started or )aybe the ability o1
so)e basi* troubleshootin.3
I 'ould also li+e to add that settin. up a :P4 throu.h the ASD< usin. the :P4 'i@ard
is e-tre)ely easy3 hat;s 'hy I;/e 1o*used on the (8I part3 I 1ind that althou.h settin. up
:P4 throu.h the 'i@ard is easy, you *an easily .et in trouble i1 it does 4A 'or+ and
you are 1or*ed to troubleshoot throu.h the (8I3 I hope this arti*le 'ill pro/ide both help
'ith settin. up, troubleshootin. and understandin. site to site :P4 *on1i.urations3
Bor a step by step .uide on *on1i.urin. throu.h the 'i@ard you *an loo+ at the (is*o site:
(is*o ASA 55!! Gettin. Started Guide
So let;s .et started3
1
[Introduction]
--------------------
=e1ore startin. to *on1i.ure a site to site :P4 let;s 1irst ha/e a 9ui*+ loo+ at 'hat :P4 is3
:P4 stands 1or :irtual Pri/ate 4et'or+ and it is basi*ally a *onne*tion 1ro) one lo*ation
to another to pro/ide a 8A4 li+e *onne*tion e-perien*e to the user o/er an un)ana.ed
5A4 lin+3 his )eans that i1 you ha/e a *orporate 8A4 'ith ser/i*es li+e e#)ail or
Intranet that *an only be a**essed 1ro) you lo*al o11i*e you *an use :P4 to *onne*t
re)ote users or sites to the net'or+ as thou.h they 'ere lo*ally *onne*ted usin. their
Internet *onne*tion3
he abo/e is a**o)plished by *reatin. a se*ure tunnel o/er an unse*ured 'eb lin+,
de1inin. 'hi*h tra11i* should be routed o/er this tunnel and the re)ote users *an a**ess
lo*al ser/i*es sea)lessly3 A1 *ourse the band'idth is still li)ited by the Internet
*onne*tions a/ailable at both sites, but a :P4 tunnel is still a se*ure and o1ten used 'ay
to *onne*t bran*h o11i*es and ho)e users the li+e3
In .eneral there are t'o types o1 :P4:
# Ce)ote a**ess
# Site to site
REMOE ACCESS
Ce)ote a**ess :P4, or easy :P4 as it is o1ten na)ed, is the ho)e user /ersion o1 :P43
Dou typi*ally install a *lient on a p* or laptop Eor you use a *lient#less portal on the
ASAF, the user sets up a *onne*tion to the o11i*e, lo.s on 'ith a userna)e and pass'ord
and is .ranted a**ess to the 8A43 An*e the tunnel is in pla*e he *an 'or+ and a**ess
ser/ers as thou.h he 'as at the o11i*e3 he tunnel *an be built o/er IPSe* or SS83 5hen
done he *an dis*onne*t the :P4 *onne*tion3
SIE-O-SIE
Site#to#site :P4 is o1ten used 1or bran*h o11i*es, 'hen a )ana.eable a)ount o1 bran*h
o11i*es is a/ailable3 Dou pla*e a :P4 de/i*e li+e (is*o ASA or a (is*o router on both
sites3 Dou *on1i.ure both de/i*es to setup a tunnel 'ith ea*h other3 he 'hole re)ote
o11i*e *an no' use this tunnel at the sa)e ti)e E'hereas 'ith re)ote a**ess :P4 only
the p* on 'hi*h the tunnel is setup *an use the tunnelF to a**ess resour*es on the )ain
o11i*e3 Sin*e the de/i*es +eep the tunnel up, the tunnel usually stays up al'ays3 his is
the :P4 I 'ant to dis*uss in this arti*le3
he tunnel setup o**urs in 2 phases3 In the 1irst phase a se*ure G)ana.e)ent *onne*tionG
*alled a se*urity asso*iation is *reated3 his *onne*tion is then used to pass the +eys o/er
to the other de/i*e3 hose +eys are then used to setup phase 2 o1 the tunnel, the IPSe*3
IPSe* is the se*ure *onne*tion o/er 'hi*h all data tra11i* is sent3
2
[!e situation]
--------------------
In order to .i/e so)e e-planations it 'ould be help1ul to *reate so)e e-a)ples3 In order
to do this I 'ill *reate a situation 'hi*h I 'ill use 1or 1uture re1eren*e3
(onsider a *o)pany 'ith a 1!! user )ain o11i*e3 It;s .ot a *ouple o1 ser/ers on its 8A4
1or thin.s li+e )ail and Intranet and uses a (is*o ASA 552! as an Internet .ate'ay3
he *orporate 8A4 net'or+ is 1!3!3!3!H2% and the .ate'ay EASAF has an inside address
o1 1!3!3!325% and an outside address o1 13131313
his *o)pany re*ently e-panded and a bran*h o11i*e 'ith 1! users is opened in another
*ity3 his o11i*e has 1! p*;s and no ser/ers3 hey ha/e an Internet *onne*tion a/ailable
and 1or se*urity purposes an ASA 551! has been installed as a 1ire'all3 he bran*h o11i*e
8A4 is 1"2316$3!3!H2% and the .ate'ay EASAF has an inside address o1 1"2316$3!325%
and an outside address o1 13131323
?ere;s a /isual display o1 a s)all net'or+ setup:
Branch Main
1.1.1.2 1.1.1.1
----- -----
192.168.0.0/24 |ASA|---------------------------|ASA| 10.0.0.0/24
----- -----
192.168.0.254 10.0.0.254

1:
2:
3:
4:
5:
6:
Sele*t all Apen in ne' 'indo'
4A,: I ha/e used the 131313! net'or+ on the 5A4 side 1or purposes o1 easy typin.3 Please note
that these are real addresses and a*tually belon. to real people3 Please don;t use the) outside o1 a
lab en/iron)ent3
he *o)pany 'ants the bran*h o11i*e *onne*ted to the )ain o11i*e usin. site to site :P43
&
["etting started]
--------------------
4o' it;s ti)e to do so)e *on1i.urin.3 Sin*e this is a ho' to on :P4 and not ASA;s in
.eneral I 'ill assu)e that you are a**usto)ed 'ith ASA;s, a**essin. the *o))and line
and settin. up a 'or+in. Internet *onne*tion3 I1 not, you *an post to the 1oru)s and the
e-perts 'ill .ladly help you .et to that point3 :#F
o .et your :P4 .oin. you 'ill need the 1ollo'in. parts in your *on1i.uration:
# an a**ess#list de1inin. interestin. tra11i*
# an a**ess#list e-e)ptin. your :P4 tra11i* 1ro) 4A E4A!F
# a *rypto IPSe* trans1or)#set de1inin. your IPSe* en*ryption
# a *rypto )ap de1inin. the a*tual IPSe* tunnel
# a *rypto isa+)p poli*y to de1ine your ;ne.otiation settin.s; 1or phase 13
# a tunnel#.roup de1inin. attributes to the tunnel
5hen troubleshootin. you should )a+e sure that the abo/e parts are present in your
*on1i.3 I1 they are you are usually 'ell under'ay3
4e-t, )a+e sure that your 4A e-e)pt a**ess#list is a*tually re1eren*ed Esee under the
4A! *hapterF, that your *rypto )ap is *orre*tly applied to an inter1a*e Esee the *rypto
)ap *hapterF and that isa+)p is .lobally enabled Esee the isa+)p poli*y *hapterF3
I 'ill no' *o/er all the separate steps one by one and try to .i/e an e-planation o1 'hat
ea*h part does and 'hat it should loo+ li+e 3hey order in 'hi*h I re1eren*e the di11erent
*o))ands is not ne*essarily the best order to *on1i.ure a :P4 tunnel3 I;/e *hosen this
order be*ause this is the order in 'hi*h it 'ill appear in a *on1i., hope1ully )a+in. it
easier 'hen troubleshootin. to step by step .o throu.h your *on1i. and see i1 all is setup
*orre*tly3
%
[Interesting traffic]
--------------------
5hen *reatin. a :P4 tunnel you ha/e to tell the ASA 'hi*h tra11i* )ust be sent throu.h
the tunnel3 he tra11i* 'hi*h .oes throu.h is *alled 6interestin. tra11i*63 Dou *reate this
sele*tion usin. an a**ess#list3
An a site to site :P4 you *on1i.ure both sides o1 the tunnel3 =e a'are that you *reate an
a**ess#list on ea*h side and that they a*tually )irror ea*h other3 An the 1irst site you tell
the ASA you 'ant to tunnel tra11i* 1ro) the )ain site to the bran*h o11i*e3 An the other
you are on the bran*h site so you tell the ASA to tunnel tra11i* 1ro) the bran*h site to the
)ain site3
It )i.ht see) ob/ious, but it;s 9uite o1ten o/erloo+ed3
8et;s *reate the *o))ands to see ho' it loo+s:
access-list VP!cr"#t$%a# e&ten'e' #er%it i# 10.0.0.0 255.255.255.0
192.168.0.0 255.255.255.0

1:
Sele*t all Apen in ne' 'indo'
As you *an see this is an a**ess#list *reated on the <ain o11i*e as it tells the ASA that tra11i*
1ro) the 1!3!3!3! net'or+ to the 1"2316$3!3! net'or+ should be put into the tunnel3 All other
tra11i* 'ill not be treated as interestin. 1or the tunnel and 'ill pro*eed the nor)al 'ay throu.h
the ASA3
4o' let;s loo+ at the a**ess#list that you 'ould use on the bran*h site:
access-list VP!cr"#t$%a# e&ten'e' #er%it i# 192.168.0.0 255.255.255.0
10.0.0.0 255.255.255.0

1:
Sele*t all Apen in ne' 'indo'
4ote a.ain ho' the tra11i* sele*tion is re/ersed to sele*t tra11i* spe*i1i*ally .oin. 1ro) the
bran*h o11i*e to the )ain o11i*e3
A1 *ourse this is Iust the a*tual de1inin. o1 interestin. tra11i*3 It is not yet related to an a*tion at
this point3 he ASA 'ill sele*t the tra11i* as you spe*i1y and then shru. and Iust let it pass as
usual3 5e 'ill de1ine an a*tion to the sele*tion later on 'hen *on1i.urin. the *rypto )ap3
5
[NA#]
--------------------
Sin*e you dire*tly *onne*t the )ain and bran*h sites you .enerally do not need to 4A
the tra11i* bet'een the lo*ations3 As you ha/e )ost li+ely setup so)e +ind o1 4A 1or
your Internet *onne*tion and the li+e you 'ill need to e-e)pt the tra11i* 'hi*h needs to
.o throu.h the tunnel 1ro) bein. 4Ated3
o do this 'e 'ill a.ain use an a**ess#list:
access-list (nsi'e!nat0!$)t*$)n' e&ten'e' #er%it i# 10.0.0.0 255.255.255.0
192.168.0.0 255.255.255.0

1:
Sele*t all Apen in ne' 'indo'
Just li+e 'ith the interestin. tra11i* 'e ha/e Iust sele*ted the tra11i* at this point3 5e no' need to
tell the ASA 'hat to do 'ith the tra11i* it sees3 In this *ase 'e *reate a state)ent to do 64A!63
5hi*h )eans333 6don't NAT63
nat +(nsi'e, 0 access-list (nsi'e!nat0!$)t*$)n'

1:
Sele*t all Apen in ne' 'indo'
4oti*e that 'e use the ;nat; state)ent as you 'ould nor)ally, *onne*tin. it to an inter1a*e3 5e
*o)e 1ro) the inside inter1a*e, so that;s 'here the state)ent should be3 hen you pro/ide a
nu)ber 'here you 'ould nor)ally put the pool nu)ber o1 the .lobal that you de1ine on the
other side3 In this *ase 'e use ! to tell the ASA there is no pool and Iust don;t use 4A at all3 5e
re1eren*e the a**ess#list 'e *reated earlier3
4o' the tra11i* 'e sele*ted 'ith this a**ess#list 'ill not be 4Ated throu.h the ASA3
8et;s do the sa)e 1or the bran*h site:
access-list (nsi'e!nat0!$)t*$)n' e&ten'e' #er%it i# 192.168.0.0 255.255.255.0
10.0.0.0 255.255.255.0
nat +(nsi'e, 0 access-list (nsi'e!nat0!$)t*$)n'

1:
2:
Sele*t all Apen in ne' 'indo'
4ote that 'e a.ain *han.ed the tra11i* sele*tion to be )irrored to the )ain site, as 'e are no'
.oin. the other 'ay3
6
[ransfor$-sets]
--------------------
his is 'here the order o1 thin.s )i.ht .et a bit *on1usin. to so)e, as the trans1or)#sets
a*tually de1ine the en*ryption o1 phase 23 And at this point 'e ha/en;t e/en *on1i.ured
phase 1 yetJ I still li+e to adhere to this order as it 'on;t )atter 'hen *on1i.urin. and it
'ill hope1ully )a+e troubleshootin. easier3
8i+e I said the trans1or)#sets de1ine 'hi*h en*ryption 'e use in phase 2, or at the IPSe*
le/el3 =oth sides 'ill ne.otiate the en*ryption le/els and there1ore the 4,,D to be the
sa)e on both lo*ations3 I1 you en*rypt 'ith +ey A, you 'ill also need to de*rypt 'ith +ey
A3 Ather'ise you 'on;t be able to read the )essa.e3
Dou *an de1ine your o'n sets, but the ASA *o)es 'ith the )ost *o))on ones
prede1ined3 hose ha/e al'ays su11i*ed to )e so I 'ould ad/ise to use those unless you
ha/e a spe*i1i* reason not to3
A.ain, as be1ore, you Iust *reate the trans1or)#sets here Eor at least )a+e sure they are
present in the *on1i.urationF but they don;t do anythin. yet3 5e re1eren*e these
trans1or)#sets later 'hen *on1i.urin. the *rypto )ap3
cr"#t$ (PSec trans-$r%-set .SP-3/.S-S0A es#-3'es es#-sha-h%ac
cr"#t$ (PSec trans-$r%-set .SP-3/.S-M/5 es#-3'es es#-%'5-h%ac
cr"#t$ (PSec trans-$r%-set .SP-A.S-256-M/5 es#-aes-256 es#-%'5-h%ac
cr"#t$ (PSec trans-$r%-set .SP-A.S-256-S0A es#-aes-256 es#-sha-h%ac

1:
2:
3:
4:
Sele*t all Apen in ne' 'indo'
5hen 1irst loo+in. at the *o))ands they see)ed a bit redundant to )e, but note that a1ter the
part ;*rypto IPSe* trans1or)#set; you de1ine a na)e Ehere in *apsF3 he de1aults re1eren*e the
en*ryption that is used3 his *ould be anythin. you li+e, thou.h3 A1ter that the en*ryption type
and authenti*ation type are spe*i1ied3
7
[Cr%&to $a&]
--------------------
4o' it;s ti)e to de1ine the parts that a*tually .et the tunnel .oin. and put so)e o1 the
buildin. blo*+s 'e *reated to.ether3 5e do this 'ith a *rypto )ap3
I 'ill 1irst *reate the *on1i.uration ite)s that 'e 'ould use at the )ain site and then
e-plain the indi/idual ite)s:
cr"#t$ %a# VP!%a# 10 %atch a''ress VP!cr"#t$%a#
cr"#t$ %a# VP!%a# 10 set #eer 1.1.1.2
cr"#t$ %a# VP!%a# 10 set trans-$r%-set .SP-A.S-256-S0A

1:
2:
3:
Sele*t all Apen in ne' 'indo'
5e use the *o))and 6*rypto )ap6 and then *reate a na)e3 A1ter the na)e *o)es a re1eren*e
nu)ber3 he reason 1or this nu)ber is that you *an only apply one *rypto )ap to ea*h inter1a*e3
his 'ould be a proble) i1 you had 2 bran*h o11i*es and only one outside inter1a*eJ
(is*o sol/ed this by usin. these re1eren*e nu)bers3 Dou use the sa)e *rypto )ap e/ery ti)e on
an inter1a*e, but you *an use di11erent re1eren*e nu)bers per tunnel3 his 'ay you are able to
setup )ultiple tunnels on this sin.le inter1a*e3
hen on the 1irst line you see the a**ess#list 'e *reated re1erred to3 his is 'here 'e say, i1 you
see ?A tra11i*, put it into the tunnel3
Se*ond, 'e de1ine the peer3 his is the other side o1 the tunnel, so in this *ase the 5A4 IP
address o1 the bran*h o11i*e3
hird you tell the ASA 'hi*h type o1 en*ryption you are .oin. to use at IPSe* le/el3 5e
re1eren*e the 4A<, o1 the trans1or)#set de1ined in the pre/ious step3
5hen you ha/e your *rypto )ap de1ined it still 'on;t do anythin. until it is applied to an
inter1a*e3 <a+e sure you apply it to the inter1a*e *losest to the other side o1 the tunnel, in our
*ase the outside inter1a*e:
cr"#t$ %a# VP!%a# inter-ace $)tsi'e

1:
Sele*t all Apen in ne' 'indo'
Dou 'ould then do the sa)e on the bran*h o11i*e, but ob/iously 'ith the 5A4 IP address o1 the
)ain o11i*e as it;s peer:
cr"#t$ %a# VP!%a# 10 %atch a''ress VP!cr"#t$%a#
cr"#t$ %a# VP!%a# 10 set #eer 1.1.1.1
cr"#t$ %a# VP!%a# 10 set trans-$r%-set .SP-A.S-256-S0A
cr"#t$ %a# VP!%a#1 inter-ace

1:
2:
3:
4:
Sele*t all Apen in ne' 'indo'
$
[isa'$& &o(ic%]
--------------------
4o' that 'e ha/e the phase 2 part *o/ered, 'here the a*tual IPSe* tunnel is built, 'e
1irst need to pro/ide 1or a se*ure layer to .et )ana.e)ent tra11i* throu.h3 his is Isa+)p
or phase 13
o .et a )ana.e)ent layer Ese*urity asso*iationF .oin. the ASA;s need poli*ies de1ined3
hey .o top do'n throu.h these poli*ies until they 1ind one that they a.ree on3 I1 they
don;t phase 1 and there1ore the *o)plete tunnel, 'on;t *o)e up3 Sin*e both sides need to
a.ree 'e need to *reate at least one poli*y and it needs to be the sa)e on both sides3 8et;s
loo+ at the *on1i.uration as it should be on both sides and .o throu.h it:
cr"#t$ isa1%# #$lic" 10 a)thenticati$n #re-share
cr"#t$ isa1%# #$lic" 10 encr"#ti$n aes-256
cr"#t$ isa1%# #$lic" 10 hash sha
cr"#t$ isa1%# #$lic" 10 2r$)# 5
cr"#t$ isa1%# #$lic" 10 li-eti%e 86400

1:
2:
3:
4:
5:
Sele*t all Apen in ne' 'indo'
Dou be.in ea*h line 'ith the 6*rypto isa+)p poli*y6 *o))and and *reate a re1eren*e nu)ber3
he lo'er the nu)ber, the hi.her it 'ill be in the *on1i., the sooner it 'ill be tried 1or settin. up
a tunnel3 Ksually you 'ould put the )ost se*ure at the top, as it has pre1eren*e3
I1 it *an;t a.ree on that le/el o1 se*urity it 'ill .o one less se*ure and so on3
he 1irst line *on1i.ures the )eans o1 authenti*ation o1 the tunnel3 Dou *an use either a pre#
shared +ey or a *erti1i*ate3 Pre#shared +eys are the easiest to i)ple)ent, *erti1i*ate are easiest to
)ana.e in lar.e en/iron)ents3 I 'on;t .o into details o1 both> I *hose pre#shared +eys 1or our
tunnel here 1or ease o1 e-planation3
4e-t 'e de1ine the en*ryption and authenti*ation )e*hanis)s3 his loo+s a lot li+e the
trans1or)#set, ho'e/er that is used 1or en*ryptin. at IPSe* le/el3 5e are no' de1inin.
en*ryption at the se*urity asso*iation le/el, 'hi*h is *reated =,BAC, IPSe* 'ill be setup3 An*e
the SA;s are in pla*e they 'ill be used to be able to se*urely setup an IPSe* *onne*tion3
hen 'e 1ind the *o))and ;.roup 5;, 'hi*h re1eren*es to Di11ie#?ell)ann .roup 53 he 'or+in.
o1 Di11ie#?ell)ann is beyond the s*ope o1 this do*u)ent, but in short it;s a se*ure 'ay to .et
se*ure in1or)ation E+eysF o/er an inse*ure *onne*tion3
Binally the li1eti)e o1 the SA;s in se*onds3 A1ter the li1eti)e has e-pired, the +eys 'ill be
re*al*ulated3 he tunnel is not a11e*ted3
5hen you are done 'ith *on1i.urin. enable isa+)p on the inter1a*e on 'hi*h the ASA should be
able to build a tunnel:
cr"#t$ isa1%# ena*le 3)tsi'e

1:
Sele*t all Apen in ne' 'indo'
his, too, needs to be set on both ASA;s3
"
[unne(-grou&]
--------------------
4o' that 'e ha/e our phase 1 and 2 *on1i.ured 'e *an use ;tunnel#.roups; to *on1i.ure
spe*i1i* options 1or the tunnel3 In site to site tunnels I 'ould ad/ise usin. the IP address
o1 the peer as the .roup#na)e3 I ha/e seen proble)s in the past 'here a di11erent na)e
had been used3
t)nnel-2r$)# 1.1.1.2 t"#e i#sec-l2l
t)nnel-2r$)# 1.1.1.2 (PSec-attri*)tes
#re-share'-1e" test1e"

1:
2:
3:
Sele*t all Apen in ne' 'indo'
In the 1irst *o))and 'e tell the ASA 'e are *reatin. an IPSe* tunnel3
In the se*ond, 'e *reate so)ethin. that 'e re1eren*ed earlier: the pre#shared +ey3 Dou de1ine it
here and re1eren*e it in the *rypto isa+)p poli*y3 <a+e sure that the +ey is the sa)e on both
ASA;sJ
I 'ould also ad/ise to use a stron.er +ey then the one I use here, as it is basi*ally a pass'ord into
your net'or+3
1!
[)ra&-u&]
--------------------
And there you ha/e itJ Dou ha/e *reated your site#to#site tunnelJ
4o' .o to a *lient on either one o1 the lo*ations and start a pin., re)ote des+top session
or open a 'eb site3 he 1irst try )i.ht 1ail, but don;t .et dis*oura.ed3 5hen the 1irst
pa*+et arri/es at the ASA it 'ill start settin. up the tunnel, 'hi*h *an ta+e a 1e' se*onds3
hen try a.ain and you should no' be able to rea*h all p*;s, printers and ser/ers on both
sides o1 the tunnel3
Bor .eneral troubleshootin. you *an use the 1ollo'in. *o))ands:
sh$4 cr"#t$ isa1%# sa

1:
Sele*t all Apen in ne' 'indo'
sh$4 cr"#t$ (PSec sa

1:
Sele*t all Apen in ne' 'indo'
hey 'ill sho' you i1 a tunnel is setup at either phase 1 ESAF or phase 2 EIPSe*F respe*ti/ely3
I +no' this .uide isn;t as e-tensi/e as it *ould be and there are hundreds o1 di11erent 'ays to
setup and use :P4 *onne*tions3 ?o'e/er, I hope this do*u)ent has helped you either .et started
or .et a basi* understandin. o1 :P4;s, 'hat they do and ho' to *on1i.ure the)3
Good lu*+ in all your endea/ors3
JG3
ags
Cisco
,
ASA
,
VPN
,
tunne(
,
configure
,
!ow to
o&ic
Cisco PI* +irewa((
Views
2!,1!6
A,out !e Aut!or
Jay_Gridley
More Artic(es +ro$ -a%."rid(e%
:ie' All
Co$$ents
,-pert (o))ent
by: .rtraders on 2!!"#11#2$ at !6:&5:2"ID: 6!1!
A truly re)ar+able arti*le3 I applaud the Author;s 'ay o1 puttin. the stu11 in a 'ay that Iust 1its in
pla*e3
Any'ay, sin*e the person 'antin. to *on1i.ure the :P4 'ill already be ha/in. a broad
+no'led.e o1 ho' :P4s 'or+, It 'ould )ay ha/e not been ne*essary but I 'ould li+e to add
that both sides o1 the :P4 should ha/e a di11erent 8A4 *lass 1or the :P4 to 'or+, as used in the
e-a)ple ##
1!3!3!3!H2% L 1"2316$3!3!H2%
I1 they use the sa)e address *lass )eanin. 1"2316$3!3!H2% on both 8A4s, it 'on;t be possible to
tunnel the tra11i*3
Ca/i3
,-pert (o))ent
by: eri* on 2!1!#!5#2! at 1!:11:12ID: 1%"1&
Great 5rite KpJJ
,-pert (o))ent
by: )ahrens!!7 on 2!11#!2#!7 at 1$:!!:%&ID: 2&625
,-*ellent 'rite#up3
han+s
,-pert (o))ent
by: )ahrens!!7 on 2!11#!2#!7 at 1$:!&:&1ID: 2&626
a*tually one thin. I 'ould add # i1 you are not onsite and 'ant to test the :P4, type in:
)ana.e)ent inside on both ASAs3 hen do a:
pin.
inside
Mthe other sides ASA inside inter1a*eN
enter a bun*h o1 ti)es3
,-pert (o))ent
by: nstron. on 2!11#!6#1% at 16:!7:!"ID: 2$67!
ryin. to dupli*ate this setup # but 'ith so)e di11erent IPs # I .et an error 'hen I plu.in at step
7, the bran*h o11i*e: 6*rypto )ap :P4_)ap1 inter1a*e6 ## ,CCAC: O In*o)plete *o))and6
Any idea 'hyP