Study Notes – IOS-to-IOS VPN Through an ASA

Posted in Study Notes, technical

This is a post in a series of “stream-of-study” content where I post loosely-structured notes taken while labbing various scenarios and technologies.

!---------------------------------!
!  IOS Router VPN through an ASA  !
!---------------------------------!
!
!in this setup we will configure an IOS to IOS VPN which must pass THROUGH an ASA without NAT, where we need to allow the outside -> inside traffic on the ASA.
!
!we'll start by configuring a basic PBVPN betwee the two routers in question
!
!-------------
!     R1
!-------------
!
crypto isakmp policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 14
 lifetime 86400
!
crypto isakmp key cisco123 address 192.1.60.6 255.255.255.255
!
crypto ipsec transform-set ikev1TFS esp-aes esp-sha-hmac
!
access-list 101 permit ip 10.4.4.0 0.0.0.255 10.6.6.0 0.0.0.255
!
crypto map PBVPN 10 ipsec-isakmp
 set peer 192.1.60.6
 match address 101
 set transform-set ikev1TFS
!
int eth0/0
 crypto map PBVPN
!
!-------------
!     R2
!-------------
!
crypto isakmp policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 14
 lifetime 86400
!
crypto isakmp key cisco123 address 192.1.24.24 255.255.255.255
!
crypto ipsec transform-set ikev1TFS esp-aes esp-sha-hmac
!
access-list 101 permit ip 10.6.6.0 0.0.0.255 10.4.4.0 0.0.0.255 
!
crypto map PBVPN 10 ipsec-isakmp
 set peer 192.1.24.24
 match address 101
 set transform-set ikev1TFS
!
int eth0/0
 crypto map PBVPN
!
!
!-------------
!    ASA
!-------------
!now, we need to allow the inbound traffic from R1 to reach R2 on the inside for both isakmp and esp
!
access-list OUTSIDE-IN extended permit udp host 192.1.24.24 host 192.1.60.6 eq isakmp
access-l OUTSIDE-IN extended permit esp host 192.1.24.24 host 192.1.60.6
!
access-group OUTSIDE-IN in interface Outside
!
!-------------------
!   Verifications
!-------------------
!
!IOS
show cry isakmp sa [detail]
show cry ipsec sa [detail]
show access-list
!
!ASA
show conn [detail]
show access-list
packet-tracer input outside esp 192.1.24.24 0 192.1.60.6 
packet-tracer input outside udp 192.1.24.24 isakmp 192.1.60.6 isakmp
Unknown's avatar

Published by malb9001

Leave a comment