Got it
Huawei Enterprise Support Community
Community Forums Security
How to build IPSEC VPN be...

How to build IPSEC VPN between USG6000 and CISCO ASA

Latest reply: Aug 1, 2018 06:42:10 5349 2 3 0 0
View the author 1#
 Issue Description

How to build IPSEC VPN between USG6000 and CISCO ASA.

USG6000 version: V100R001C30SPC900

ASA5510 version: 8.2

USG6000 (115.192.185.102) - (125.77.254.53) ASA5510 ipsec interconnection reference.

transparent.gif Handling Process
USG configuration:

acl number 3500
rule 5 permit ip source 10.4.1.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip source 10.4.1.0 0.0.0.255 destination 10.1.0.0 0.0.255.255
rule 15 permit ip source 10.4.1.0 0.0.0.255 destination 10.2.0.0 0.0.255.255
rule 20 permit ip source 10.4.1.0 0.0.0.255 destination 10.3.0.0 0.0.255.255
ike proposal 1
encryption-algorithm 3des-cbc
dh group2 
sa duration 28800 //USG is 86400 by default.


ike peer a
pre-shared-key Yealink!123
ike-proposal 1
undo version 2 //suggest to use V1 to build IPSEC with other vendor
remote-address 125.77.254.53


ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm 3des


ipsec policy map1 10 isakmp
security acl 3500
pfs dh-group2 
ike-peer a
proposal 1

nat-policy
rule name ipsec
source-zone trust
source-address 10.4.1.0 24
destination-zone untrust
destination-address 10.1.0.0 16
destination-address 10.2.0.0 16
destination-address 10.3.0.0 16
destination-address 192.168.1.0 24
action no-nat

GigabitEthernet0/0/0
ip address 115.192.185.102 255.255.255.0
ipsec policy map1 auto-neg

ASA configuration: 

crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2 
lifetime 28800

crypto isakmp key Yealink!123 address 115.192.185.102 //configure pre-share key

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac (equal USG ipsec proposal

access-list HZhuawei permit ip 192.168.1.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.1.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.2.0.0 255.255.0.0 10.4.1.0 255.255.255.0
access-list HZhuawei permit ip 10.3.0.0 255.255.0.0 10.4.1.0 255.255.255.0

crypto map outside_map0 30 match address HZhuawei 
crypto map outside_map0 30 set peer 115.192.185.102
crypto map outside_map0 30 set transform-set ESP-3DES-SHA
crypto map outside_map0 30 set pfs group2 

transparent.gif Solution
USG6000 (115.192.185.102) - (125.77.254.53) ASA5510 ipsec interconnection reference.

Like (3) Dislike (0) Favorite(0) Share Report
Previous: How to forward tcp packets on a single port on firewall usg6300
Next: How to install the root certificate to the client after enable SSL encryption function.
(0) (0)
2#
HC_David
Created Jul 28, 2018 02:03:31

:)If Huawei is a dynamic IP address, how to configure it on the Cisco firewall? Thank you
View more
  • x
  • convention:
(0) (0)
3#
t84058884
Created Aug 1, 2018 06:42:10

Hi, have you ever configured IPsec between Huawei firewall and Cisco firewall with certificate authentification?
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.