Cisco HOW-TO‎ > ‎

Configuring Site-to-Site VPN

This section describes the task of setting up a site-to-site VPN on a Cisco ASA 5540 firewall, running version 8.0 of the ASA software.
 
This section assumes a simple configuration of an ASA connected directly to a public IP network on the "outside" interface.  The internal network is 172.16.0.0/16 and the far end's internal network is 172.17.0.0/16.
 
config t
 
!!!
!!! This first section contains configuration that is generally only needed once on the system.
!!! 
! Setup the ISAKMP policy (this part may already be done on your system)
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
!
! Enable ISAKMP on the outside interface
isakamp enable eth0
!
!Setup the IPSec transformation set
crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac
 
!!!
!!! The next section is done for each different VPN tunnel
!!!
!Define the traffic that can traverse the VPN
access-list traffic_from_site_a_to_site_b permit ip 172.16.0.0 255.255.0.0 172.17.0.0 255.255.0.0
! Define the device at the remote end that is terminating the VPN
tunnel-group far_end_public_IP type ipsec-l2l
tunnel-group far_end_public_IP
ipsec-attributes
 pre-shared-key
password_goes_here
! Add or create a crypto map for the outside interface
crypto map crypto-map-outside 2 set transform-set vpn-transform
crypto map crypto-map-outside 2 match address traffic_from_site_a_to_site_b 
crypto map crypto-map-outside 2 set peer far_end_public_IP
crypto map crypto-map-outside interface outside
 
 
Comments