I’ve been asked about this a number of times on the job. You have to create a VPN tunnel between two ASA devices – using the command line. There’s also a twist – the IP address of your destination device(s) is already in use by someone else they’ve peered with, so you’ll need to NAT your device’s IP address(es) when speaking to the remote end.
Let’s make a few assumptions, then onto the configuration:
- We’re routing between two hosts on the remote end and one on the local end
- You’ll be using NAT to present your local host (192.168.1.20) as 192.168.40.97
- Your remote peer is 184.108.40.206
- Phase 1: ISAKMP, AES-256 Encryption, SHA1 hashing, Group 5, Lifetime=86400
- Phase 2: ESP Encapsulation, AES256 Encryption, SHA hashing
My config (with explanations):
Group our remote addresses together: object-group network REMOTE_VPN_IPs network-object 10.20.30.1 255.255.255.255 network-object 10.20.30.2 255.255.255.255 This ACL is used to NAT traffic below: access-list REMOTE_VPN_REWRITE extended permit ip host 192.168.1.20 object-group REMOTE_VPN_IPs This ACL matches traffic for our VPN tunnel - notice the rewritten address: access-list outside_5_cryptomap extended permit ip host 192.168.40.97 object-group REMOTE_VPN_IPs This Static NAT statement re-writes traffic to the new address: static (inside,outside) 192.168.40.97 access-list REMOTE_VPN_REWRITE We need a transform set for our next statements: crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac We're creating a unique crypto map (in our router, this is the fifth VPN tunnel): crypto map outside_map 5 match address outside_5_cryptomap crypto map outside_map 5 set pfs group5 crypto map outside_map 5 set peer 220.127.116.11 crypto map outside_map 5 set transform-set ESP-AES-256-SHA We need to create an ISAKMP policy allowing Phase 1 traffic: crypto isakmp policy 110 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 And our tunnel-group: tunnel-group 18.104.22.168 type ipsec-l2l tunnel-group 22.214.171.124 ipsec-attributes pre-shared-key Pr3$h@ReDK33
Hope this helps someone!