No video :(

Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101

Подписаться 45 тыс.

Просмотров 295 тыс.

50% 1

www.soundtraini... Author, speaker, and IT trainer Don R. Crawley demonstrates how to configure a site-to-site VPN between two Cisco ASA security appliances. The demo is based on software version 8.3(1) and uses IPSec, ISAKMP, tunnel-groups, Diffie-Hellman groups, and an access-list. The demo is based on the popular book "The Accidental Administrator: Cisco ASA Security Appliance: Step-by-Step Configuration Guide (amzn.com/144959...) and includes a link where you can download a free copy of the configs and the network diagram.

Опубликовано:

25 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 129

@doambaludovic377 4 года назад

The best site 2 site vpn training that i never seen my english is not good but i understand very weel your lesson. God bless you

@doncrawley3478 4 года назад

I'm glad it was helpful. Thanks for your comment!

@doambaludovic377 4 года назад

@@doncrawley3478 i hope that you will post others lessons on cisco asdm monitoring and troubleshooting

@MrSanketPune 5 лет назад

You saved my day, I was missing nat (inside,outside) 1 and unable to ping from one site. But after putting this 1 it went to top and everything worked as expected.

@soundtraining 11 лет назад

Sorry about the delay in replying. I don't currently have videos on the topics you mentioned, but will certainly consider producing them. Thanks for the suggestion!

@soundtraining 11 лет назад

I'm glad you like it. Thanks for your comment.

@soundtraining 11 лет назад

I'm glad you liked it. Yes, I'll consider creating a video on remote access VPNs. Subscribe to the channel to learn when the video is completed and uploaded.

@soundtraining 11 лет назад

Currently working on making a video on remote access VPNs. I needed to add more flash memory, so I'm waiting for it to arrive. Should have the video ready soon, maybe by this weekend.

@soundtraining 11 лет назад

Thanks for the suggestion. I'll definitely consider producing a Packet Tracer video. Great idea!

@mazensalah8963 2 года назад

rfdf5hb5t2dx

@jonathanbignall1198 9 лет назад

Thanks for this informative video. I have been working with l2l VPN tunnels on Asa's and the old Pix appliances for some years, but I still learnt some useful stuff. That configuration looks much tidier and simpler than the one I've been using, I think I may have over complicated my acl, I will review it! Thanks again.

@ibrarhussain999 8 лет назад

Hi, Great video I configured L2L by watching this video and studying couple of articles on VPN, But i did an identical configuration on my ASA's and its working fine. Not only this your video helped me to configure DMZ as well, so thanks.

@marioosh80 12 лет назад

Nice video. My suggestion to configure NAT in less confusing way is to create an access list (something like: access-list extended nat0 permit ip object net-local object net-remote) and then apply nat (inside) 0 access-list nat0

@Naesman1167 Год назад

I thank you for you video. I would suggest that you marry your video configuration with your topology as to remove some confusion. I was 2/3 through your configuration when I realized the tunnel peer addresses didnt reflect the diagram... Overall thank you..

@MdAlamgirHossainChannel 8 лет назад

Thank you very much Sir! Just viewing your configuration steps, I have solved my problem.

@kailashchandra5138 6 лет назад

This video is awesome so far and very helpful to configure Site To Site VPN.

@carybudach8661 6 лет назад

I'm running identical 5505's, both fresh out of the box, both running 9.1(7)23. I've used the configs in this video in 4 other test scenarios. Today I tried for the 5th time. For the life of me, I've never been able to get the VPN working.

@soundtraining 12 лет назад

Check your ASA's software version number. The video is based on 8.3 with a base license. If you're running a different version, your command options may be different. Good luck!

@hasanreza0 5 лет назад

Excellent Vdo , It could not have been made simpler ,

@Cisco2Junos 10 лет назад

Thanks, hard to understand first if i am new to VPN but after playing 2 times i get to know the concept behind..

@soundtraining 10 лет назад

Yeah, it's a lot of stuff to process if you're new to VPNs, but just keep working with it and you'll get it. Thanks for your comment.

@CanecaProductions 3 года назад

Im buying your book right now.

@soundtraining 13 лет назад

@wonderland1111 This only applies to ASA devices. I took a quick look at the WRV210 and I'd be surprised if its interface was the same as an ASA. I wish I had better news for you, but thanks for the question.

@RemyVorender 10 лет назад

You are my new hero. Thank you.

@soundtraining 10 лет назад

No, you're my hero for watching the video and commenting! Thanks, Jeremy.

@CSEPracticals 2 года назад

you saved my day !

@soundtraining 11 лет назад

Hi Peter, the NAT statement (nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote) is confusing, isn't it? It's designed to prevent VPN traffic from being NAT'd out onto the Internet instead of going across the tunnel. It has the same effect as the old NAT 0 command from earlier versions of the ASA software. Thanks for your question.

@chrislucas4406 5 лет назад

If you still want to be able to have access to internet just add this line after configuring the static nat : nat (inside,outside) source dynamic any interface

@IndyAustin 5 лет назад

Excellent video. All meat and potatoes. Thank you!

@louisroyce15 4 года назад

great video, even better music!

@connectakk 11 лет назад

Simple and Clear....Thanks for the Video.....

@mohdibrahimali5246 8 лет назад

Excellent Channel, great help

@daciasandero6616 8 лет назад

Thank you for this very good video especially the command at the end of the video called route, this blow my issue away :-) I am goinig to buy your book.

@jimmykan7873 7 лет назад

Hello Don, It looks like the instructions on this tutorial do not work on version 8.4(2)? mine is v8.4(2) and crypto has different configure mode (ikev1, ipsec, key and map) no isakmp. Thanks,

@wagdymaher4238 5 лет назад

Thank you so much for great info

@dsrdeep 11 лет назад

your video was really helpful, can you kindly explain how to create remote access VPN as well plz.

@goodeyedeas 12 лет назад

Excellent video!

@noshut 4 года назад

I've tried to follow along here step by step. However in my lab, I do not have outside internet. So I set the default gateway for both firewalls to the outside IP of the other firewall. Will the tunnel ever get built doing it this way, OR, do you HAVE to have an actual internet connection coming from an ISP going into one or both firewalls?

@AmitThakorlovemeorhateme 4 года назад

could you please make a comparison video of ISR and ASR command line difference....i have learned so far upto ccnp level about router...but these firewall cli is completely throwing me off

@plopperator 9 лет назад

you don't need to configure a default route, you should just configure a route to the remote subnet with the outside ip address of the remote firewall as the next hop.

@rishavpathak5288 3 года назад

The command which you run its not working on my asa firewall

@familjabakija 11 лет назад

Mr. Crawley congrats to very good presentation. I'm trying to use your instructions getting VPN between two ASA Firewalls. ASA version 8.2.5. I can create net-local and net-remote but when I try to type subnet command - error message. The rest of config can be done except nat (inside,outside) ...- which is related to network objects. My question: Is it a substitute command (ASA v8.2.5) for those to commands ( creating network objects and nat (inside,outside) ...). thanks.

@petertaylor3628 11 лет назад

Hi Don, Can you explain why you are using nat (inside,outside) rule with this VPN as with this configuration you already have reachability between your remote sites without NAT

@rockingtheages8925 6 лет назад

Don, I was following along with this config. I noticed you configured the first tunnel group statement to be 192.168.0.12 and stated that this was the "outside interface" address of the AS02 (remote) firewall. However, your diagram in the beginning of the video doesn't show that as being the IP address of the AS02 device. I recorded it to be 24.17.23.12....Did I miss something?

@plopperator 11 лет назад

doesn't configuring a default route that points to the other ASA mean that traffic whether it's encrypted or not can't go anywhere but to the other ASA?

@suggst65 11 лет назад

How important is it to match the services applied in your ACL (Cryptomap) to your peers ACL?

@visom97 11 лет назад

Great video

@Sky1 8 лет назад

If I put an administrative distance on that route statement could I use this as a Floating VPN route in case of an MPLS failure where the route disappears from the Routing table?

@kb8dude1985 7 лет назад

really good video

@Nick-py7iy 7 лет назад

Hello! Thank you for lessons!!! It is help me in my work! I need an advice. How VPN will work if I have two ASAs. MAIN ASA(has 2 up links to internet) and REMOTE ASA (has one link). And if MAIN chanel on MAIN ASA will down off and MAIN ASA start work on BACK chanel, how will work VPN? What I need to configire?

@BogusJesus 9 лет назад

I need to hook up 5 new offices to each other. 1 office will be the main office. How can I do this? What equipment would you recommend buying? Thanks for the help.

@DJRTP 4 года назад

Hello, your videos are really great!, are you planning on doing any training videos on FireSight and FMC?

@plopman6391 10 лет назад

Don, obviously this works but shouldn't there be part of the config where the DF group is specified?

@davidwangombemaina 10 лет назад

Hi Don, Thanks for the simple explanation. How would I go about this set up if one of the IPSEC end was terminating into a cisco router and not as ASA? ASACISCO 3745 Would I still need the tunnel group part of the configuration?

@soundtraining 9 лет назад

Hi David, The tunnel group command does several things, including identifying the peer at the other end of the connection. I haven't done the configuration you describe, but I don't see how it could work without a tunnel group. Thanks for your comment. Apologies for my delay in responding.

@plopperator 11 лет назад

why is it phase 1 things like isakmp timeouts and preshared key are configured under IPsec attributes?

@branimirkarajcic7839 10 лет назад

That default route at the end is not necessary for site 2 site VPN. It is necessarily only if default route is not configured.

@soundtraining 10 лет назад

You're correct. If you already have a default route configured, it's not necessary to configure a new one. Thanks for your comment.

@branimirkarajcic7839 10 лет назад

soundtraining.net Quick question if I am trying to set a second site to site VPN connection, should I use different map number? For example: crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 192.168.0.12 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside If I was gonna have: crypto map another_map 1 match address another_1_cryptomap crypto map another_map 1 set pfs group1 crypto map another_map 1 set peer 172.168.0.12 crypto map another_map 1 set transform-set ESP-3DES-SHA crypto map another_map interface outside Should "1" be something else or is the fact that outside_map is different than another_map enough?

@CiscoPhipse 9 лет назад

Hi Don, What if I had an MPLS connection on the same ASA and I wanted to route traffic destined for 192.168.102.100 down towards the MPLS gateway? Why does all traffic (192.168.102.0/24) go over the VPN if you specify a static route to the MPLS on the ASA?

@Gianluca_Del_Vecchio 12 лет назад

I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 192.168.0.1) it works but if I configure the only route to the remote peer (route outside 192.168.0.12 255.255.255.255 192.168.0.1) it doesn't work. Do you know the cause please? thanks

@davetejas5794 11 лет назад

Please Upload same video in Packet Tracer.

@bozbostwick8471 9 лет назад

Hello, I'm actually from Tacoma, but that's not the point. I'm having an issue with the nat command. nat (inside,outside) 1 source static net-local net-local destination net-remote net-remote. The error carrot points to the comma in (inside,outside) and says -remote net-remote. All other commands upto this point have worked. I have Cisco ASA 5505 with 6.4(5). Any Ideas??

@CautionCU 6 лет назад

Nice videos broseph

@jimmykan7873 7 лет назад

Don, when I get to the settings #crypto map outside_map 1 set (there's no pfs option, the only options are ikev1, peer and security-association) what should I use, I am using v8.4(2) Thanks!

@plopperator 11 лет назад

Don, I'm using 8.4 but can't even type the command 'crypto isakmp enable outside'. Has there been a change to this command that you know of? Or am I going bonkers?

@Gianluca_Del_Vecchio 12 лет назад

@marioosh80 I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 192.168.0.1) it works but if I configure the only route to the remote peer (route outside 192.168.0.12 255.255.255.255 192.168.0.1) it doesn't work. Do you know the cause please? thanks

@IndyAustin 5 лет назад

What app are you using to produce the network diagrams?

@cazanova6699 8 лет назад

Thanks Sir, I have a question, is it possible to configure site to multiple sites vpn using ASA5510 ? I have a central site with asa5510 and multiple sites (cisco routers)must connected to it via adsl vpn, I used to use cisco router in the central site but the vpn is down due to material problem and I try to replace it by ASA5510

@HostDone 10 лет назад

Hi I had followed your direction and bought the book, it is an amazing startup to use. However, I am trying to install VPN in my Lab and able to get an the tunnel established but no ping to the other internal network Let me know if you have any thoughts. I can post my configuration for the two sites if that possible! Thanks Mohamed

@soundtraining 9 лет назад

Hi Mohamed, Make sure the firewalls on the target hosts allow ping packets (ICMP). That's the most common problem I see. Thanks for your comment.

@jimmykan7873 6 лет назад

Hello Don, I have two ASA5505 both running v8.2(5), I want to connect the two back to back on the outside interfaces, can this work with site2site vpn configurations. maybe you have a sample of how to do this. Thanks!

@suggst65 11 лет назад

Thanks!

@soleilenvierge 12 лет назад

message 1/2 your video is very interesting but it seems I don't have the same menus on my ASA5505 -: For example, you have the command: "(config) crypto isakmp enable outside" - I don't have that command "... enable outside" also: you do: "(config) crypto isakmp policy 10 ..." I don't have that command "... policy 10" These are my options: see second message

@minhtruong6935 11 лет назад

Thanks ur video...

@plopperator 11 лет назад

what does the tunnel-group command do?

@tenflags 11 лет назад

This is so confusing. Sometimes this video shows without Routers and sometimes with Routers. What is going on? The other video has a gateway of 24.17.23.155.

@pedrotrejo5775 9 лет назад

Hi sr, It could be possible to configure a VPN between ASA IOS 8.4(5) and ASA IOS 7.2(2) ? Or I have to upgrade my firewall? Thanks

@wonderland1111 13 лет назад

is this aplicable to a cisco wrv210??? thanks

@brightstar6957 Год назад

Can you make the same IpSec VPN on fortigate Firewall

@soundtraining Год назад

Fortigate firewalls are a product of Fortinet. I've never worked with any Fortinet products, so I don't know if they use a similar command structure to Cisco devices, but I doubt it.

@plopperator 11 лет назад

is this a route based vpn or policy based? I confused

@trocz71 10 лет назад

Hi Don, when backing up and copying configuration settings from one ASA-5505 to another will VPN configuration settings also be backed up when initiating the command in PuTTY? Probably a stupid question but im a web developer and am new to Working on Cisco Security Appliances.

@soundtraining 9 лет назад

Hi Trocz, The simple answer is anything in the configuration file is backed up when you perform a copy running-config command. That includes the VPN configs. Thanks for your comment.

@Jaw_breaker 8 лет назад

Hi, why when I try to configure the route, the last step, with my default gateway I receive the message "Invalid next hop address, it belongs to one of our interfaces". Thanks for your help.

@Jaw_breaker 8 лет назад

Hi Don, thanks for your answer. I realized that after reading some more documentation. The problem i'm having now is that I'm able to establish the tunnel but no data passes to either side. If you could give me any hint I'd be greatly appreciated.

@diegoir9383 10 лет назад

I have a problem, im trying to configure 2 asa firewalls but running different ios versions, the first asa has ios 8.3 and the second has 8.4, i dont know how to to configure them since most examples describe scenarios with firewalls using same ios version and commands. help please!

@soundtraining 9 лет назад

Hi Diegogiga, 8.3 and 8.4 are very similar. I haven't done that exact configuration, but I haven't had any trouble using 8.3 documentation on an ASA running 8.4. Thanks for your comment.

@BrynnzTv 8 лет назад

Hi Don, Thanks for the video it help to solve my issue.. I have a question : why I cant ping vice versa? PC ASA02 (192.168.102.2/24) can ping PC ASA01(192.168.101.2/24) But PC ASA01(192.168.101.2) can not ping PC ASA02 (192.168.102.2/24) Pls. advice..

@romeonyc77 10 лет назад

Hi Don, I am stuck on the nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote....I am getting error message "ERROR: % Invalid input detected at '^' marker." What is the syntaxt since I am running 8.2(5) version? Thaks for your help. Bernard

@soundtraining 10 лет назад

Bernard, the problem is that you're running version 8.2(5) of the software and this configuration only works in versions 8.3 and later. Cisco made a major change in syntax starting with version 8.3. Here's a link to a Cisco configuration guide for NAT on software version 8.2 and earlier. Good luck! Thanks for your comment.

@bcbabloo 11 лет назад

very Nice and clear :)

@iam_subh5035 7 лет назад

It is a request to provide the updated link to the downloadable free copy.

@iam_subh5035 7 лет назад

You are awesome. Thank you.

@f.trappey4450 10 лет назад

is there a way to adjust the MTU size going across the tunnel on the ASA like you can on a router?

@soundtraining 9 лет назад

Yes. See this page: www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_routed.html#wp1112567 Thanks for your comment.

@douglassoaresmantova 10 лет назад

Sorry ,but I am using ios 8.4.2 and unfortunately it has not the comandos of crypto isakmp . example: crypto isakmp enable outside . It has not that and the other options . what could be the problem ?

@douglassoaresmantova 10 лет назад

ciscoasa(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.4(2) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "startup-config" ciscoasa(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot

@plopperator 10 лет назад

what about "crypto ikev1" ?

@Pyro72x 10 лет назад

I tried adding the following line to our new asa 5505 ver 8.2(5) and it would not take. nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote..Thoughts on a work around? I have added an access-list to the inside interface called NONAT and added the internal and external networks this way. I think may work thoughts?

@soundtraining 10 лет назад

Software versions prior to 8.3 use different syntax. For example, to configure NO NAT with your software, you use the "nat 0" statement. Here's a link with more information: www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1080803 Hope that helps. Thanks for your comment.

@Pyro72x 10 лет назад

Great thanks!

@MrTameem 10 лет назад

Its simple and helpful.... Do you have WAAS config videos ? anyway thanks for uploading ....cheers////

@andryllbarcarse 10 лет назад

Hi sir, is it possible to have a site to site VPN between cisco asa and sonicwall?

@soundtraining 9 лет назад

Hi Andryll, Sure, as long as the settings on each end (protocols, key lengths, and other settings) match. It should work. :) Thanks for your comment.

@manufunk1 10 лет назад

hi sir, I have ASA5512-X 9.1 IOS and Cisco 877 router on another side.Both sides have dynamic ip .I configured ASA and remote access via VPN client establishes but SITE-SITE VPN do not establish.ASA is replaced by Cisco 1841 router at Headoffice.All router at sites was connected to 1841 via dynamic ip VPN site to site.After i put ASA and configured tunnel is not establishing can you please help what went wrong.

@soundtraining 9 лет назад

Hi Manoj, You're going to have difficulty getting a site-to-site VPN to work with dynamic addresses on the outside interfaces.The other issues sound to me like routing problems. Thanks for your comment.

@manufunk1 9 лет назад

i did it with dynamic ip and its working cool.thanks

@manufunk1 9 лет назад

I have set dyndns on linksys router to resolve the ip

@BelowAverageRazzleDazzle 4 года назад

Seems outdated now... crypto isakmp ENABLE.... - is invalid... There is no enable option now. (v9.8) first step = failure... Evidence (taken from an older 5505): myASA5505(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot myASA5505(config)# show ver Cisco Adaptive Security Appliance Software Version 9.2(4)33 Device Manager Version 7.4(3)

@Netguru786 8 лет назад

hi all - can any one tell me if i do a password recovery on a ASA 5512 will it delete all my config etc?

@soundtraining 8 лет назад

If password recovery has been disabled, it will delete your config.

@whead-ul-islamakhand3132 9 лет назад

Sir....How can i get your video on ASA ?

@whead-ul-islamakhand3132 9 лет назад

thanks...Sir .

@manoj.kumar_21 9 лет назад

Hi Don, Thank you so much for this video I have one doubt where is 192.168.0.1 ip address

@soundtraining 9 лет назад

Hi Manoj, Great question. The address 192.168.0.1 is not shown on the diagram, but it represents a default gateway. Even in a point-to-point configuration, such as the one used for the video, it's still necessary to include a default gateway in order to bring up the tunnel. Thanks for your comment.

@atmanghemari950 8 лет назад

is this 192.168.0.1 a default gateway in Firewall 1 site or in Firewall2 site? as I can see your 2 gatways are 192.168.101.1 & 192.168.102.1

@atmanghemari950 8 лет назад

I mean is it just an IP you have to use in both router as a gateway?

@wagdymaher4238 5 лет назад

to whom need files (digrams and configurations ) on the link : www.doncrawley.com/soundtraining-net-downloads/

@hasanreza0 5 лет назад

##Command replaced in newer version by crypto ikev2 enable outside ##Preshared key command ikev1 pre-shared-key 0 pass1234 ##Crypto Isakmp policy 10## crypto ikev1 policy 10 ##Crypto Isakmp policy 10 lifetime 86400## crypto ikev1 policy 10 lifetime 86400 More as i work

@soleilenvierge 12 лет назад

message 2/2 (These are my options:) FractalRocks55(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot that's all I have, can you help, thx, Jonathan

@soundtraining 11 лет назад

I'm glad you like it. Thanks for your comment.

@soundtraining 11 лет назад

Glad you like it. Thanks for the comment.