73-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter73 Configuring LAN-to-LAN IPsec VPNs
Configuring an ACL
hostname(config-ipsec-proposal)#
Step2 Then enter a protocol and encryption types. ESP is the only supported protocol. For example:
hostname(config-ipsec-proposal)# protocol esp encryption 3des aes des
hostname(config-ipsec-proposal)#
Step3 Enter an integrity type. For example:
hostname(config-ipsec-proposal)# protocol esp integrity sha-1
hostname(config-ipsec-proposal)#
Step4 Save your changes.
Configuring an ACL
The adaptive security appliance uses access control lists to control network access. By default, the
adaptive security appliance denies all traffic. You need to configure an ACL that permits traffic. For more
information, see Chapter14, “Information About Access Lists.”
The ACLs that you configure for this LAN-to-LAN VPN control connections are based on the source
and translated destination IP addresses. Configure ACLs that mirror each other on both sides of the
connection.
An ACL for VPN traffic uses the translated address. For more information, see the “IP Addresses Used
for Access Lists When You Use NAT” section on page14-3.
To configure an ACL, perform the following steps:
Step1 Enter the access-list extended command. The following example configures an ACL named l2l_list that
lets traffic from IP addresses in the 192.168.0.0 network travel to the 150.150.0.0 network. The syntax
is access-list listname extended permit ip source-ipaddress source-netmask destination-ipaddress
destination-netmask.
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0
150.150.0.0 255.255.0.0
hostname(config)#
Step2 Configure an ACL for the ASA on the other side of the connection that mirrors the ACL above. In the
following example the prompt for the peer is hostname2.
hostname2(config)# access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0
192.168.0.0 255.255.0.0
hostname(config)#
Note For more information on configuring an ACL with a vpn-filter, see “Configuring VPN-Specific
Attributes” section on page 67-42.
Defining a Tunnel Group
A tunnel group is a set of records that contain tunnel connection policies. You configure a tunnel group
to identify AAA servers, specify connection parameters, and define a default group policy. The ASA
stores tunnel groups internally.