Configuring an acl, Defining a tunnel group – Cisco ASA 5505 User Manual

Page 1583

Advertising
background image

73-7

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 73 Configuring LAN-to-LAN IPsec VPNs

Configuring an ACL

hostname(config-ipsec-proposal)#

Step 2

Then enter a protocol and encryption types. ESP is the only supported protocol. For example:

hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des

hostname(config-ipsec-proposal)#

Step 3

Enter an integrity type. For example:

hostname(config-ipsec-proposal)# protocol esp integrity sha-1

hostname(config-ipsec-proposal)#

Step 4

Save your changes.

Configuring an ACL

The adaptive security appliance uses access control lists to control network access. By default, the
adaptive security appliance denies all traffic. You need to configure an ACL that permits traffic. For more
information, see

Chapter 14, “Information About Access Lists.”

The ACLs that you configure for this LAN-to-LAN VPN control connections are based on the source
and translated destination IP addresses. Configure ACLs that mirror each other on both sides of the
connection.

An ACL for VPN traffic uses the translated address. For more information, see the

“IP Addresses Used

for Access Lists When You Use NAT” section on page 14-3

.

To configure an ACL, perform the following steps:

Step 1

Enter the access-list extended command. The following example configures an ACL named l2l_list that
lets traffic from IP addresses in the 192.168.0.0 network travel to the 150.150.0.0 network. The syntax
is access-list listname extended permit ip source-ipaddress source-netmask destination-ipaddress
destination-netmask.

hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0

150.150.0.0 255.255.0.0

hostname(config)#

Step 2

Configure an ACL for the ASA on the other side of the connection that mirrors the ACL above. In the
following example the prompt for the peer is hostname2.

hostname2(config)# access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0

192.168.0.0 255.255.0.0

hostname(config)#

Note

For more information on configuring an ACL with a vpn-filter, see

“Configuring VPN-Specific

Attributes” section on page 67-42

.

Defining a Tunnel Group

A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group
to identify AAA servers, specify connection parameters, and define a default group policy. The ASA
stores tunnel groups internally.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals