PIX / ASA 8.0(4)16 – Site to Site VPN Sample Config

Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100.

Please note : This isn’t a tutorial but merely just a sample config that can be used as a reference point.

    isakmp enable outside
    isakmp policy 10 
         encryption des
         hash md5
         authentication pre-share
         group 1
         lifetime 86400
 
    isakmp key CISCO1 address 192.168.1.100 netmask 255.255.255.255 no-xauth
    isakmp key CISCO1 address 192.168.2.100 netmask 255.255.255.255 no-xauth
 
    access-list JuniperEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list Check PointEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
 
    access-list nonat permit ip  172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list nonat permit ip  172.16.3.0 255.255.255.0 172.28.16.0 255.255.255.0
    nat (inside) 0 access-list nonat
 
    crypto ipsec transform-set trans-set esp-des esp-md5-hmac
    crypto map crypto_map 10 ipsec-isakmp
    crypto map crypto_map 10 match address JuniperEncDomain
    crypto map crypto_map 10 set peer 192.168.1.100
    crypto map crypto_map 10 set transform-set trans-set
    crypto map crypto_map 10 set security-association lifetime seconds 3600
 
    crypto map crypto_map 20 ipsec-isakmp
    crypto map crypto_map 20 match address Check PointEncDomain
    crypto map crypto_map 20 set peer 192.168.2.100
    crypto map crypto_map 20 set transform-set trans-set
    crypto map crypto_map 20 set security-association lifetime seconds 3600
 
    crypto map crypto_map interface outside
    crypto isakmp identity address
 

Things to note :

1. The number that comes after the crypto map and the isakmp policy number is a sequence (priority) number.
2. Only one crypto map can be assigned to the same interface.
3. For use in the access-lists a object group including the encryption domains may be useful for future VPN administration

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial