fir3net
PPS-Firenetbanner-780.5x190-30-03-17

PIX / ASA 8.0(4)16 - Site to Site VPN Sample Config

Below is a sample config for 2 site to site vpns from a PIX running 8.0(4)16. One peer being 192.168.2.100, and the other 192.168.1.100.

Please note : This isn't a tutorial but merely just a sample config that can be used as a reference point.

    isakmp enable outside
    isakmp policy 10

         encryption des
         hash md5
         authentication pre-share
         group 1
         lifetime 86400

    isakmp key CISCO1 address 192.168.1.100 netmask 255.255.255.255 no-xauth
    isakmp key CISCO1 address 192.168.2.100 netmask 255.255.255.255 no-xauth

    access-list JuniperEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list Check PointEncDomain permit ip 172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0

    access-list nonat permit ip  172.16.3.0 255.255.255.0 10.1.1.0 255.255.255.0
    access-list nonat permit ip  172.16.3.0 255.255.255.0 172.28.16.0 255.255.255.0
    nat (inside) 0 access-list nonat

    crypto ipsec transform-set trans-set esp-des esp-md5-hmac
    crypto map crypto_map 10 ipsec-isakmp
    crypto map crypto_map 10 match address JuniperEncDomain
    crypto map crypto_map 10 set peer 192.168.1.100
    crypto map crypto_map 10 set transform-set trans-set
    crypto map crypto_map 10 set security-association lifetime seconds 3600

    crypto map crypto_map 20 ipsec-isakmp
    crypto map crypto_map 20 match address Check PointEncDomain
    crypto map crypto_map 20 set peer 192.168.2.100
    crypto map crypto_map 20 set transform-set trans-set
    crypto map crypto_map 20 set security-association lifetime seconds 3600

    crypto map crypto_map interface outside
    crypto isakmp identity address

Things to note :

  1. The number that comes after the crypto map and the isakmp policy number is a sequence (priority) number.
  2. Only one crypto map can be assigned to the same interface.
  3. For use in the access-lists a object group including the encryption domains may be useful for future VPN administration

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001