from the blog

Cisco Site to Site VPN

Here are some helpful tips when dealing with a Cisco site to site VPN. Please note that the following example configuration will ONLY work for PIX/ASA IOS 7.0 and above.  PIX 506 cannot be used.

Remote Site 1
————-

Internal LAN address : 192.168.1.0/24
Translated address   : 10.0.1.0/24

Remote Site 2
————-

Internal LAN address : 192.168.1.0/24
Translated address   : 10.0.2.0/24

Remote Site 3
————-

Internal LAN address : 192.168.1.0/24
Translated address   : 10.0.3.0/24

Hosting Facility
—————-

Internal LAN address : 192.168.5.0/24
Translated address   : <No translation needed since there is no overlap assumed at the hosting facility>

—BEGIN CODE OF FIREWALL AT SITE 1—
access-list outside_cryptomap permit ip 10.0.1.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list policy-nat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
static (inside,outside) 10.0.1.0 access-list policy-nat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer <hosting_facilty_firewall_outside_ip_add

ress>
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
<other statements follow that are specific to either a PIX or ASA, depending on what is implemented at the remote site>
—END CODE OF FIREWALL AT SITE 1—

—BEGIN CODE OF FIREWALL AT SITE 2—
access-list outside_cryptomap permit ip 10.0.2.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list policy-nat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
static (inside,outside) 10.0.2.0 access-list policy-nat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer <hosting_facilty_firewall_outside_ip_address>
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
<other statements follow that are specific to either a PIX or ASA, depending on what is implemented at the remote site>
—END CODE OF FIREWALL AT SITE 2—

—BEGIN CODE OF FIREWALL AT SITE 3—
access-list outside_cryptomap permit ip 10.0.3.0 255.255.255.0 192.168.5.0 255.255.255.0
access-list policy-nat permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
static (inside,outside) 10.0.3.0 access-list policy-nat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap
crypto map outside_map 10 set peer <hosting_facilty_firewall_outside_ip_address>
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
<other statements follow that are specific to either a PIX or ASA, depending on what is implemented at the remote site>
—END CODE OF FIREWALL AT SITE 3—

—BEGIN CODE OF FIREWALL AT HOSTING FACILITY—
access-list outside_cryptomap_1 permit ip 192.168.5.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list outside_cryptomap_2 permit ip 192.168.5.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list outside_cryptomap_3 permit ip 192.168.5.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.0.3.0 255.255.255.0
nat (inside) 0 access-list nonat
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 10 match address outside_cryptomap_1
crypto map outside_map 10 set peer <hosting_facilty_firewall_outside_ip_address>
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 20 match address outside_cryptomap_2
crypto map outside_map 20 set peer <hosting_facilty_firewall_outside_ip_address>
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 30 match address outside_cryptomap_3
crypto map outside_map 30 set peer <hosting_facilty_firewall_outside_ip_address>
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
<other statements follow that are specific to either a PIX or ASA, depending on what is implemented at the remote site>
—END CODE OF FIREWALL AT HOSTING FACILITY—

posted 09.30.2009
2 comments

  • Print
  • Facebook
  • Twitter
  • Digg
  • Technorati
  • del.icio.us
  • StumbleUpon
  • Suggest to Techmeme via Twitter
  • Tumblr
  • Mixx
  • Google Bookmarks

2 Responses to “Cisco Site to Site VPN”

  1. access point vs router says:
    October 11, 2011 at 4:31 am

    Hello there, I found your blog through Google, and found that it is really informative. I’m gonna watch out for more from Brussels. I look forward to seeing more of this in the future. I know a lot of other folks will benefit from your writing as well. Cheers!

  2. Cisco Refurb says:
    February 21, 2012 at 9:07 am

    We appreciate you reaching out to us from Brussels! The IT world is so expansive now, and we are excited to reach out to you guys with helpful tips!

Leave a Reply

The Latest from the Blog
Refurbished Cisco Equipment

Cisco Refurb offers new and refurbished Cisco equipment for your business, with a wide selection and competitive pricing from a certified Cisco partner you can trust.