JohanPersson.nu

My Digital Brain

PIX-to-ASA Dynamic-to-Static VPN – Part 2

Written by

Johan

in

This is a follow-up on the about setting up PIX-to-ASA Dynamic-to-Static VPN and this time the ASA is static and the Pix is dynamic.

Here is the config:

ASA Config

interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.10.10.10 255.255.255.0
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
access-list traffic_from_inside extended permit ip any 192.168.4.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map INDUS_DYNAMIC 1 set transform-set ESP-3DES-MD5
crypto map outside_map_1 90 ipsec-isakmp dynamic INDUS_DYNAMIC
crypto map outside_map_1 interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *

PIX Config

access-list inside_outside permit ip any 192.168.1.0 255.255.255.0
access-list outside_inside permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list NAT-0-INSIDE permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_10 permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
ip address outside dhcp setroute
ip address inside 192.168.4.1 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NAT-0-INSIDE
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer 10.10.10.10
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 10.10.10.10 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Comments

Leave a Reply

More posts