Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101
Рет қаралды 294,433
13 жыл бұрынwww.soundtraining.net Author, speaker, and IT trainer Don R. Crawley demonstrates how to configure a site-to-site VPN between two Cisco ASA security appliances. The demo is based on software version 8.3(1) and uses IPSec, ISAKMP, tunnel-groups, Diffie-Hellman groups, and an access-list. The demo is based on the popular book "The Accidental Administrator: Cisco ASA Security Appliance: Step-by-Step Configuration Guide (amzn.com/1449596622) and includes a link where you can download a free copy of the configs and the network diagram.
@doambaludovic377 4 жыл бұрын
The best site 2 site vpn training that i never seen my english is not good but i understand very weel your lesson. God bless you
@doncrawley3478 4 жыл бұрын
I'm glad it was helpful. Thanks for your comment!
@doambaludovic377 4 жыл бұрын
@@doncrawley3478 i hope that you will post others lessons on cisco asdm monitoring and troubleshooting
@MrSanketPune 5 жыл бұрын
You saved my day, I was missing nat (inside,outside) 1 and unable to ping from one site. But after putting this 1 it went to top and everything worked as expected.
@jonathanbignall1198 9 жыл бұрын
Thanks for this informative video. I have been working with l2l VPN tunnels on Asa's and the old Pix appliances for some years, but I still learnt some useful stuff. That configuration looks much tidier and simpler than the one I've been using, I think I may have over complicated my acl, I will review it! Thanks again.
@kailashchandra5138 6 жыл бұрын
This video is awesome so far and very helpful to configure Site To Site VPN.
@ibrarhussain999 8 жыл бұрын
Hi, Great video I configured L2L by watching this video and studying couple of articles on VPN, But i did an identical configuration on my ASA's and its working fine. Not only this your video helped me to configure DMZ as well, so thanks.
@MdAlamgirHossainChannel 8 жыл бұрын
Thank you very much Sir! Just viewing your configuration steps, I have solved my problem.
@soundtraining 11 жыл бұрын
I'm glad you like it. Thanks for your comment.
@daciasandero6616 8 жыл бұрын
Thank you for this very good video especially the command at the end of the video called route, this blow my issue away :-) I am goinig to buy your book.
@soundtraining 11 жыл бұрын
Sorry about the delay in replying. I don't currently have videos on the topics you mentioned, but will certainly consider producing them. Thanks for the suggestion!
@soundtraining 11 жыл бұрын
Currently working on making a video on remote access VPNs. I needed to add more flash memory, so I'm waiting for it to arrive. Should have the video ready soon, maybe by this weekend.
@mohdibrahimali5246 8 жыл бұрын
Excellent Channel, great help
@soundtraining 11 жыл бұрын
Thanks for the suggestion. I'll definitely consider producing a Packet Tracer video. Great idea!
@mazensalah8963 2 жыл бұрын
rfdf5hb5t2dx
@hasanreza0 5 жыл бұрын
Excellent Vdo , It could not have been made simpler ,
@soundtraining 11 жыл бұрын
I'm glad you liked it. Yes, I'll consider creating a video on remote access VPNs. Subscribe to the channel to learn when the video is completed and uploaded.
@connectakk 11 жыл бұрын
Simple and Clear....Thanks for the Video.....
@goodeyedeas 12 жыл бұрын
Excellent video!
@wagdymaher4238 5 жыл бұрын
Thank you so much for great info
@CSEPracticals 2 жыл бұрын
you saved my day !
@RemyVorender 10 жыл бұрын
You are my new hero. Thank you.
@soundtraining 10 жыл бұрын
No, you're my hero for watching the video and commenting! Thanks, Jeremy.
@DJRTP 4 жыл бұрын
Hello, your videos are really great!, are you planning on doing any training videos on FireSight and FMC?
@carybudach8661 6 жыл бұрын
I'm running identical 5505's, both fresh out of the box, both running 9.1(7)23. I've used the configs in this video in 4 other test scenarios. Today I tried for the 5th time. For the life of me, I've never been able to get the VPN working.
@CanecaProductions 3 жыл бұрын
Im buying your book right now.
@kb8dude1985 7 жыл бұрын
really good video
@louisroyce15 4 жыл бұрын
great video, even better music!
@visom97 11 жыл бұрын
Great video
@soundtraining 11 жыл бұрын
Hi Peter, the NAT statement (nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote) is confusing, isn't it? It's designed to prevent VPN traffic from being NAT'd out onto the Internet instead of going across the tunnel. It has the same effect as the old NAT 0 command from earlier versions of the ASA software. Thanks for your question.
@Naesman1167 Жыл бұрын
I thank you for you video. I would suggest that you marry your video configuration with your topology as to remove some confusion. I was 2/3 through your configuration when I realized the tunnel peer addresses didnt reflect the diagram... Overall thank you..
@soundtraining 12 жыл бұрын
@wonderland1111 This only applies to ASA devices. I took a quick look at the WRV210 and I'd be surprised if its interface was the same as an ASA. I wish I had better news for you, but thanks for the question.
@CiscoPhipse 9 жыл бұрын
Hi Don, What if I had an MPLS connection on the same ASA and I wanted to route traffic destined for 192.168.102.100 down towards the MPLS gateway? Why does all traffic (192.168.102.0/24) go over the VPN if you specify a static route to the MPLS on the ASA?
@Cisco2Junos 10 жыл бұрын
Thanks, hard to understand first if i am new to VPN but after playing 2 times i get to know the concept behind..
@soundtraining 10 жыл бұрын
Yeah, it's a lot of stuff to process if you're new to VPNs, but just keep working with it and you'll get it. Thanks for your comment.
@Nick-py7iy 7 жыл бұрын
Hello! Thank you for lessons!!! It is help me in my work! I need an advice. How VPN will work if I have two ASAs. MAIN ASA(has 2 up links to internet) and REMOTE ASA (has one link). And if MAIN chanel on MAIN ASA will down off and MAIN ASA start work on BACK chanel, how will work VPN? What I need to configire?
@jimmykan7873 7 жыл бұрын
Hello Don, It looks like the instructions on this tutorial do not work on version 8.4(2)? mine is v8.4(2) and crypto has different configure mode (ikev1, ipsec, key and map) no isakmp. Thanks,
@CautionCU 5 жыл бұрын
Nice videos broseph
@marioosh80 12 жыл бұрын
Nice video. My suggestion to configure NAT in less confusing way is to create an access list (something like: access-list extended nat0 permit ip object net-local object net-remote) and then apply nat (inside) 0 access-list nat0
@jimmykan7873 7 жыл бұрын
Don, when I get to the settings #crypto map outside_map 1 set (there's no pfs option, the only options are ikev1, peer and security-association) what should I use, I am using v8.4(2) Thanks!
@Sky1 8 жыл бұрын
If I put an administrative distance on that route statement could I use this as a Floating VPN route in case of an MPLS failure where the route disappears from the Routing table?
@rockingtheages8925 6 жыл бұрын
Don, I was following along with this config. I noticed you configured the first tunnel group statement to be 192.168.0.12 and stated that this was the "outside interface" address of the AS02 (remote) firewall. However, your diagram in the beginning of the video doesn't show that as being the IP address of the AS02 device. I recorded it to be 24.17.23.12....Did I miss something?
@jimmykan7873 6 жыл бұрын
Hello Don, I have two ASA5505 both running v8.2(5), I want to connect the two back to back on the outside interfaces, can this work with site2site vpn configurations. maybe you have a sample of how to do this. Thanks!
@soundtraining 12 жыл бұрын
Check your ASA's software version number. The video is based on 8.3 with a base license. If you're running a different version, your command options may be different. Good luck!
@dsrdeep 11 жыл бұрын
your video was really helpful, can you kindly explain how to create remote access VPN as well plz.
@bcbabloo 11 жыл бұрын
very Nice and clear :)
@noshut 4 жыл бұрын
I've tried to follow along here step by step. However in my lab, I do not have outside internet. So I set the default gateway for both firewalls to the outside IP of the other firewall. Will the tunnel ever get built doing it this way, OR, do you HAVE to have an actual internet connection coming from an ISP going into one or both firewalls?
@cazanova6699 8 жыл бұрын
Thanks Sir, I have a question, is it possible to configure site to multiple sites vpn using ASA5510 ? I have a central site with asa5510 and multiple sites (cisco routers)must connected to it via adsl vpn, I used to use cisco router in the central site but the vpn is down due to material problem and I try to replace it by ASA5510
@familjabakija 11 жыл бұрын
Mr. Crawley congrats to very good presentation. I'm trying to use your instructions getting VPN between two ASA Firewalls. ASA version 8.2.5. I can create net-local and net-remote but when I try to type subnet command - error message. The rest of config can be done except nat (inside,outside) ...- which is related to network objects. My question: Is it a substitute command (ASA v8.2.5) for those to commands ( creating network objects and nat (inside,outside) ...). thanks.
@minhtruong6935 11 жыл бұрын
Thanks ur video...
@IndyAustin 5 жыл бұрын
Excellent video. All meat and potatoes. Thank you!
@bozbostwick8471 9 жыл бұрын
Hello, I'm actually from Tacoma, but that's not the point. I'm having an issue with the nat command. nat (inside,outside) 1 source static net-local net-local destination net-remote net-remote. The error carrot points to the comma in (inside,outside) and says -remote net-remote. All other commands upto this point have worked. I have Cisco ASA 5505 with 6.4(5). Any Ideas??
@petertaylor3628 11 жыл бұрын
Hi Don, Can you explain why you are using nat (inside,outside) rule with this VPN as with this configuration you already have reachability between your remote sites without NAT
@plopman6391 10 жыл бұрын
Don, obviously this works but shouldn't there be part of the config where the DF group is specified?
@BogusJesus 9 жыл бұрын
I need to hook up 5 new offices to each other. 1 office will be the main office. How can I do this? What equipment would you recommend buying? Thanks for the help.
@pedrotrejo5775 9 жыл бұрын
Hi sr, It could be possible to configure a VPN between ASA IOS 8.4(5) and ASA IOS 7.2(2) ? Or I have to upgrade my firewall? Thanks
@suggst65 11 жыл бұрын
How important is it to match the services applied in your ACL (Cryptomap) to your peers ACL?
@plopperator 10 жыл бұрын
why is it phase 1 things like isakmp timeouts and preshared key are configured under IPsec attributes?
@AmitThakorlovemeorhateme 4 жыл бұрын
could you please make a comparison video of ISR and ASR command line difference....i have learned so far upto ccnp level about router...but these firewall cli is completely throwing me off
@plopperator 10 жыл бұрын
doesn't configuring a default route that points to the other ASA mean that traffic whether it's encrypted or not can't go anywhere but to the other ASA?
@suggst65 11 жыл бұрын
Thanks!
@MrTameem 10 жыл бұрын
Its simple and helpful.... Do you have WAAS config videos ? anyway thanks for uploading ....cheers////
@davidwangombemaina 10 жыл бұрын
Hi Don, Thanks for the simple explanation. How would I go about this set up if one of the IPSEC end was terminating into a cisco router and not as ASA? ASACISCO 3745 Would I still need the tunnel group part of the configuration?
@soundtraining 9 жыл бұрын
Hi David, The tunnel group command does several things, including identifying the peer at the other end of the connection. I haven't done the configuration you describe, but I don't see how it could work without a tunnel group. Thanks for your comment. Apologies for my delay in responding.
@IndyAustin 5 жыл бұрын
What app are you using to produce the network diagrams?
@BrynnzTv 8 жыл бұрын
Hi Don, Thanks for the video it help to solve my issue.. I have a question : why I cant ping vice versa? PC ASA02 (192.168.102.2/24) can ping PC ASA01(192.168.101.2/24) But PC ASA01(192.168.101.2) can not ping PC ASA02 (192.168.102.2/24) Pls. advice..
@chrislucas4406 5 жыл бұрын
If you still want to be able to have access to internet just add this line after configuring the static nat : nat (inside,outside) source dynamic any interface
@HostDone 10 жыл бұрын
Hi I had followed your direction and bought the book, it is an amazing startup to use. However, I am trying to install VPN in my Lab and able to get an the tunnel established but no ping to the other internal network Let me know if you have any thoughts. I can post my configuration for the two sites if that possible! Thanks Mohamed
@soundtraining 9 жыл бұрын
Hi Mohamed, Make sure the firewalls on the target hosts allow ping packets (ICMP). That's the most common problem I see. Thanks for your comment.
@Gianluca_Del_Vecchio 12 жыл бұрын
@marioosh80 I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 192.168.0.1) it works but if I configure the only route to the remote peer (route outside 192.168.0.12 255.255.255.255 192.168.0.1) it doesn't work. Do you know the cause please? thanks
@plopperator 10 жыл бұрын
what does the tunnel-group command do?
@plopperator 11 жыл бұрын
Don, I'm using 8.4 but can't even type the command 'crypto isakmp enable outside'. Has there been a change to this command that you know of? Or am I going bonkers?
@trocz71 10 жыл бұрын
Hi Don, when backing up and copying configuration settings from one ASA-5505 to another will VPN configuration settings also be backed up when initiating the command in PuTTY? Probably a stupid question but im a web developer and am new to Working on Cisco Security Appliances.
@soundtraining 9 жыл бұрын
Hi Trocz, The simple answer is anything in the configuration file is backed up when you perform a copy running-config command. That includes the VPN configs. Thanks for your comment.
@Gianluca_Del_Vecchio 12 жыл бұрын
I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 192.168.0.1) it works but if I configure the only route to the remote peer (route outside 192.168.0.12 255.255.255.255 192.168.0.1) it doesn't work. Do you know the cause please? thanks
@Jaw_breaker 8 жыл бұрын
Hi, why when I try to configure the route, the last step, with my default gateway I receive the message "Invalid next hop address, it belongs to one of our interfaces". Thanks for your help.
@Jaw_breaker 8 жыл бұрын
Hi Don, thanks for your answer. I realized that after reading some more documentation. The problem i'm having now is that I'm able to establish the tunnel but no data passes to either side. If you could give me any hint I'd be greatly appreciated.
@wonderland1111 12 жыл бұрын
is this aplicable to a cisco wrv210??? thanks
@f.trappey4450 10 жыл бұрын
is there a way to adjust the MTU size going across the tunnel on the ASA like you can on a router?
@soundtraining 9 жыл бұрын
Yes. See this page: www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_routed.html#wp1112567 Thanks for your comment.
@romeonyc77 10 жыл бұрын
Hi Don, I am stuck on the nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote....I am getting error message "ERROR: % Invalid input detected at '^' marker." What is the syntaxt since I am running 8.2(5) version? Thaks for your help. Bernard
@soundtraining 10 жыл бұрын
Bernard, the problem is that you're running version 8.2(5) of the software and this configuration only works in versions 8.3 and later. Cisco made a major change in syntax starting with version 8.3. Here's a link to a Cisco configuration guide for NAT on software version 8.2 and earlier. Good luck! Thanks for your comment.
@plopperator 10 жыл бұрын
is this a route based vpn or policy based? I confused
@diegoir9383 10 жыл бұрын
I have a problem, im trying to configure 2 asa firewalls but running different ios versions, the first asa has ios 8.3 and the second has 8.4, i dont know how to to configure them since most examples describe scenarios with firewalls using same ios version and commands. help please!
@soundtraining 9 жыл бұрын
Hi Diegogiga, 8.3 and 8.4 are very similar. I haven't done that exact configuration, but I haven't had any trouble using 8.3 documentation on an ASA running 8.4. Thanks for your comment.
@rishavpathak5288 3 жыл бұрын
The command which you run its not working on my asa firewall
@Pyro72x 10 жыл бұрын
I tried adding the following line to our new asa 5505 ver 8.2(5) and it would not take. nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote..Thoughts on a work around? I have added an access-list to the inside interface called NONAT and added the internal and external networks this way. I think may work thoughts?
@soundtraining 10 жыл бұрын
Software versions prior to 8.3 use different syntax. For example, to configure NO NAT with your software, you use the "nat 0" statement. Here's a link with more information: www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1080803 Hope that helps. Thanks for your comment.
@Pyro72x 10 жыл бұрын
Great thanks!
@davetejas5794 11 жыл бұрын
Please Upload same video in Packet Tracer.
@brightstar6957 Жыл бұрын
Can you make the same IpSec VPN on fortigate Firewall
@soundtraining Жыл бұрын
Fortigate firewalls are a product of Fortinet. I've never worked with any Fortinet products, so I don't know if they use a similar command structure to Cisco devices, but I doubt it.
@plopperator 9 жыл бұрын
you don't need to configure a default route, you should just configure a route to the remote subnet with the outside ip address of the remote firewall as the next hop.
@iam_subh5035 7 жыл бұрын
It is a request to provide the updated link to the downloadable free copy.
@iam_subh5035 7 жыл бұрын
You are awesome. Thank you.
@manufunk1 10 жыл бұрын
hi sir, I have ASA5512-X 9.1 IOS and Cisco 877 router on another side.Both sides have dynamic ip .I configured ASA and remote access via VPN client establishes but SITE-SITE VPN do not establish.ASA is replaced by Cisco 1841 router at Headoffice.All router at sites was connected to 1841 via dynamic ip VPN site to site.After i put ASA and configured tunnel is not establishing can you please help what went wrong.
@soundtraining 9 жыл бұрын
Hi Manoj, You're going to have difficulty getting a site-to-site VPN to work with dynamic addresses on the outside interfaces.The other issues sound to me like routing problems. Thanks for your comment.
@manufunk1 9 жыл бұрын
i did it with dynamic ip and its working cool.thanks
@manufunk1 9 жыл бұрын
I have set dyndns on linksys router to resolve the ip
@andryllbarcarse 10 жыл бұрын
Hi sir, is it possible to have a site to site VPN between cisco asa and sonicwall?
@soundtraining 9 жыл бұрын
Hi Andryll, Sure, as long as the settings on each end (protocols, key lengths, and other settings) match. It should work. :) Thanks for your comment.
@branimirkarajcic7839 10 жыл бұрын
That default route at the end is not necessary for site 2 site VPN. It is necessarily only if default route is not configured.
@soundtraining 10 жыл бұрын
You're correct. If you already have a default route configured, it's not necessary to configure a new one. Thanks for your comment.
@branimirkarajcic7839 10 жыл бұрын
soundtraining.net Quick question if I am trying to set a second site to site VPN connection, should I use different map number? For example: crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer 192.168.0.12 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside If I was gonna have: crypto map another_map 1 match address another_1_cryptomap crypto map another_map 1 set pfs group1 crypto map another_map 1 set peer 172.168.0.12 crypto map another_map 1 set transform-set ESP-3DES-SHA crypto map another_map interface outside Should "1" be something else or is the fact that outside_map is different than another_map enough?
@Netguru786 8 жыл бұрын
hi all - can any one tell me if i do a password recovery on a ASA 5512 will it delete all my config etc?
@soundtraining 8 жыл бұрын
If password recovery has been disabled, it will delete your config.
@soleilenvierge 12 жыл бұрын
message 1/2 your video is very interesting but it seems I don't have the same menus on my ASA5505 -: For example, you have the command: "(config) crypto isakmp enable outside" - I don't have that command "... enable outside" also: you do: "(config) crypto isakmp policy 10 ..." I don't have that command "... policy 10" These are my options: see second message
@douglassoaresmantova 10 жыл бұрын
Sorry ,but I am using ios 8.4.2 and unfortunately it has not the comandos of crypto isakmp . example: crypto isakmp enable outside . It has not that and the other options . what could be the problem ?
@douglassoaresmantova 10 жыл бұрын
ciscoasa(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.4(2) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "startup-config" ciscoasa(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot
@plopperator 10 жыл бұрын
what about "crypto ikev1" ?
@whead-ul-islamakhand3132 9 жыл бұрын
Sir....How can i get your video on ASA ?
@whead-ul-islamakhand3132 9 жыл бұрын
thanks...Sir .
@tenflags 11 жыл бұрын
This is so confusing. Sometimes this video shows without Routers and sometimes with Routers. What is going on? The other video has a gateway of 24.17.23.155.
@manoj.kumar_21 9 жыл бұрын
Hi Don, Thank you so much for this video I have one doubt where is 192.168.0.1 ip address
@soundtraining 9 жыл бұрын
Hi Manoj, Great question. The address 192.168.0.1 is not shown on the diagram, but it represents a default gateway. Even in a point-to-point configuration, such as the one used for the video, it's still necessary to include a default gateway in order to bring up the tunnel. Thanks for your comment.
@atmanghemari950 8 жыл бұрын
is this 192.168.0.1 a default gateway in Firewall 1 site or in Firewall2 site? as I can see your 2 gatways are 192.168.101.1 & 192.168.102.1
@atmanghemari950 8 жыл бұрын
I mean is it just an IP you have to use in both router as a gateway?
@wagdymaher4238 5 жыл бұрын
to whom need files (digrams and configurations ) on the link : www.doncrawley.com/soundtraining-net-downloads/
@BelowAverageRazzleDazzle 4 жыл бұрын
Seems outdated now... crypto isakmp ENABLE.... - is invalid... There is no enable option now. (v9.8) first step = failure... Evidence (taken from an older 5505): myASA5505(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot myASA5505(config)# show ver Cisco Adaptive Security Appliance Software Version 9.2(4)33 Device Manager Version 7.4(3)
@hasanreza0 5 жыл бұрын
##Command replaced in newer version by crypto ikev2 enable outside ##Preshared key command ikev1 pre-shared-key 0 pass1234 ##Crypto Isakmp policy 10## crypto ikev1 policy 10 ##Crypto Isakmp policy 10 lifetime 86400## crypto ikev1 policy 10 lifetime 86400 More as i work
@soleilenvierge 12 жыл бұрын
message 2/2 (These are my options:) FractalRocks55(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot that's all I have, can you help, thx, Jonathan
@soundtraining 11 жыл бұрын
I'm glad you like it. Thanks for your comment.
@soundtraining 11 жыл бұрын
Glad you like it. Thanks for the comment.
soundtraining.net
Рет қаралды 350 М.
Jason Derulo
Рет қаралды 125 МЛН
What the Meowk!
Рет қаралды 3,7 МЛН
soundtraining.net
Рет қаралды 139 М.
soundtraining.net
Рет қаралды 17 М.
soundtraining.net
Рет қаралды 57 М.
soundtraining.net
Рет қаралды 32 М.
Gurutech Networking Training
Рет қаралды 7 М.
Trendy Tech Review Show
Рет қаралды 1,3 МЛН
Typecase
Рет қаралды 12 МЛН