Cisco ASA site to site VPN configuration

The following is an example of Cisco ASA site to site VPN configuration.

Here’s the network topology:

Topology

The end-points for this VPN are Ethernet0/0 on FW1-CERTVIDEOS (100.1.1.1) and Ethernet 0/0 on FW2-CERTVIDEOS (200.1.1.1).

Step 1: Permit the decrypted VPN traffic from the lower security level to the higher security level interface

If the IPSec session is terminated on the appliance, the decrypted VPN traffic must be allowed to flow from the lower security level to the higher security level interface. There are two options to do this:

  1. Create an ACL with permit statements to allow the decrypted VPN traffic
  2. Use the sysopt connection permit-vpn command to bypass/exempt decrypted VPN traffic from being processed by the interface ACL
FW1-CERTVIDEOS(config)# sysopt connection permit-vpn

Step1 - 1

FW2-CERTVIDEOS(config)# sysopt connection permit-vpn

Step1 - 2

 

Step 2: Enable ISAKMP and IKE on the interface on which the IPSec tunnel is terminated

ISAKMP and IKE are disabled by default. These must be enabled on the interface on which the IPSec tunnel is terminated.

FW1-CERTVIDEOS(config)# crypto isakmp enable OUTSIDE

Step2 -1

FW2-CERTVIDEOS(config)# crypto isakmp enable OUTSIDE

Step2 -2

 

Step 3:  Create an ISAKMP policy

FW1-CERTVIDEOS(config)# crypto isakmp policy 100
FW1-CERTVIDEOS(config-isakmp-policy)# encryption aes
FW1-CERTVIDEOS(config-isakmp-policy)# authentication pre-share
FW1-CERTVIDEOS(config-isakmp-policy)# hash sha
FW1-CERTVIDEOS(config-isakmp-policy)# group 2
FW1-CERTVIDEOS(config-isakmp-policy)# exit
FW1-CERTVIDEOS(config)#

Step3 - 1

FW2-CERTVIDEOS(config)# crypto isakmp policy 100
FW2-CERTVIDEOS(config-isakmp-policy)# encryption aes
FW2-CERTVIDEOS(config-isakmp-policy)# authentication pre-share
FW2-CERTVIDEOS(config-isakmp-policy)# hash sha
FW2-CERTVIDEOS(config-isakmp-policy)# group 2
FW2-CERTVIDEOS(config-isakmp-policy)# exit
FW2-CERTVIDEOS(config)#

Step3 - 2

Step 4: Create a tunnel-group

FW1-CERTVIDEOS(config)# tunnel-group 200.1.1.1 type ipsec-l2l
FW1-CERTVIDEOS(config)# tunnel-group 200.1.1.1 ipsec-attributes
FW1-CERTVIDEOS(config-tunnel-ipsec)# pre-shared-key certvideos.com
FW1-CERTVIDEOS(config-tunnel-ipsec)# exit
FW1-CERTVIDEOS(config)#

Step4 - 1

 

FW2-CERTVIDEOS(config)# tunnel-group 100.1.1.1 type ipsec-l2l
FW2-CERTVIDEOS(config)# tunnel-group 100.1.1.1 ipsec-attributes
FW2-CERTVIDEOS(config-tunnel-ipsec)# pre-shared-key certvideos.com
FW2-CERTVIDEOS(config-tunnel-ipsec)# exit
FW2-CERTVIDEOS(config)#

Step4 - 2

 

Step 5: Create an access-list to allow the interesting traffic

FW1-CERTVIDEOS(config)# access-list VPN-ACL permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Step5 - 1

FW2-CERTVIDEOS(config)# access-list VPN-ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Step5 - 2

 

Step 6: Create a transform-set

FW1-CERTVIDEOS(config)# crypto ipsec transform-set TRANS esp-sha-hmac esp-aes

Step6 - 1

FW2-CERTVIDEOS(config)# crypto ipsec transform-set TRANS esp-sha-hmac esp-aes

Step6 - 2

Step 7: Create a crypto map and apply it to the interface

FW1-CERTVIDEOS(config)# crypto map CRYPTO 100 set peer 200.1.1.2
FW1-CERTVIDEOS(config)# crypto map CRYPTO 100 set transform-set TRANS
FW1-CERTVIDEOS(config)# crypto map CRYPTO 100 match address VPN-ACL
FW1-CERTVIDEOS(config)# crypto map CRYPTO interface OUTSIDE

Step7 - 1

FW2-CERTVIDEOS(config)# crypto map CRYPTO 100 set peer 100.1.1.2
FW2-CERTVIDEOS(config)# crypto map CRYPTO 100 set transform-set TRANS
FW2-CERTVIDEOS(config)# crypto map CRYPTO 100 match address VPN-ACL
FW2-CERTVIDEOS(config)# crypto map CRYPTO interface OUTSIDE

Step7 - 2

5 Comments

Add a Comment

Your email address will not be published. Required fields are marked *