In this video session, I cover how to configure L2L VPN’s on Cisco ASA Firewalls.
I have included the presentation from the video along with the essential configurations used to create a L2L VPN.
Configuration Used
***ASAv1***
ASA Version 9.8(3)
!
hostname ASAv1
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 209.168.100.1 255.255.255.252
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 192.168.10.1 255.255.255.0
!
object network SITE1
subnet 192.168.10.0 255.255.255.0
object network SITE2
subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE1 object SITE2
nat (INSIDE,OUTSIDE) source static SITE1 SITE1 destination static SITE2 SITE2 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.100.2 1
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.200.1
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 84600
tunnel-group 209.168.200.1 type ipsec-l2l
tunnel-group 209.168.200.1 ipsec-attributes
ikev1 pre-shared-key cisco
***ISP ROUTER***
hostname ISP
!
interface GigabitEthernet0/0
ip address 209.168.100.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 209.168.200.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip route 192.168.10.0 255.255.255.0 209.168.100.1
ip route 192.168.20.0 255.255.255.0 209.168.200.1
***ASAv2***
ASA Version 9.8(3)
!
hostname ASAv2
!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 209.168.200.1 255.255.255.252
!
interface GigabitEthernet0/2
nameif INSIDE
security-level 100
ip address 192.168.20.1 255.255.255.0
!
object network SITE1
subnet 192.168.10.0 255.255.255.0
object network SITE2
subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE2 object SITE1
nat (INSIDE,OUTSIDE) source static SITE2 SITE2 destination static SITE1 SITE1 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.200.2 1
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.100.1
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 84600
tunnel-group 209.168.100.1 type ipsec-l2l
tunnel-group 209.168.100.1 ipsec-attributes
ikev1 pre-shared-key cisco