Cisco ASA Site-to-Site Generator

General Settings

Pix Version: *

Peer IP: *

VPN Interface: *

VPN Access-List Name: *

Crypto Map Name: *

VPN Filter Required?
(Pix 7+ Only)

First VPN on Device?

Phase 1 Settings

Isakmp Policy Required?

Encryption: *

Hash: *

Diffie-Hellman Group: *

Timeout (in Seconds): *

Isakmp Policy Number: *
(unused isakmp policy number)

Pre-Shared Secret:
(If none entered, one will be created)

Phase 2 Settings

Encryption: *

Hash: *

Timeout (in Seconds): *

PFS: *

Crypto Map Number: *
(unused crypto map number)

The Policy number should be less then any crypto map with 'dynamic DYNMAP' in use
Make sure to check if sysopt is enabled
Ensure the iskamp policy number is unused on the firewall
1 Crypto Map per interface

ACLs should look like the following
access-list 101 permit ip <local-domain/ip> <remote-domain/ip>
access-list NONAT permit ip <local-domain/ip> <remote-domain/ip>
access-list vpn-filter permit <tcp|udp|ip> <remote-domain/ip> <local-domain/ip> <eq port>

sysopt connection permit-vpn
Remote Enc -> Local Enc traffic will NOT be checked against the outside ACL
If no vpn-filter is defined, ALL Remote Enc -> Local Enc traffic will be permitted

The Policy number should be less then any crypto map with 'dynamic DYNMAP' in use
Make sure to check if sysopt is enabled
Ensure the iskamp policy number is unused on the firewall
1 Crypto Map per interface

ACLs should look like the following
access-list 101 permit ip <local-domain/ip> <remote-domain/ip>
access-list NONAT permit ip <local-domain/ip> <remote-domain/ip>
access-list vpn-filter permit <tcp|udp|ip> <remote-domain/ip> <local-domain/ip> <eq port>

sysopt connection permit-vpn
Remote Enc -> Local Enc traffic will NOT be checked against the outside ACL
If no vpn-filter is defined, ALL Remote Enc -> Local Enc traffic will be permitted