Tags

, , , , ,

A site-to-site VPN protects the network resources on your protected networks from unauthorized use by users on an unprotected network, such as the public Internet.

It’s not that hard to configure a site-to-site IPsec VPN on a ASA , just need to know a few basic thinks.

After you decide on what values to use it’s time to configure the devices in 7 easy steps( make sure that on both sides you have the same values)

1. Configure Interfaces

2. Configure ISAKMP policy

3. Configure transform-set

4. Configure ACL

5. Configure Tunnel group

6. Configure crypto map and attach to interface

7. Enable isakmp on interface

To allow VPN traffic to bypass interface ACL : “sysopt connection permit-vpn”

If you want to manage the remote device over vpn by default Cisco ASA does not allow access to the inside interface if the traffic is coming over the VPN tunnel , to enable use: “management-access inside

For bypassing NAT :

SITE_A

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

SITE_B

access-list nonat extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 and on both sites

nat (inside) 0 access-list nonat

A example between two cisco asa devices:

SITE_A

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 195.42.2.51 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.10.1 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

3. Configure transform-set

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

4. Configure ACL

access-list encrypt_acl extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 195.42.1.50 type ipsec-l2l
tunnel-group 195.42.1.50 ipsec-attributes
pre-shared-key my_secret_key

6. Configure crypto map and attach to interface

crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 195.42.1.50
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside

7. Enable isakmp on interface

crypto isakmp enable outside

SITE B

1. Configure Interfaces

interface GigabitEthernet0/0
ip address 195.42.1.50 255.255.255.0
nameif outside
no shutdown

interface GigabitEthernet0/1
ip address 192.168.20.1 255.255.255.0
nameif inside
no shutdown

2. Configure ISAKMP policy

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

3. Configure transform-set

crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

4. Configure ACL

access-list encrypt_acl extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

5. Configure Tunnel group

tunnel-group 195.42.2.51 type ipsec-l2l
tunnel-group 195.42.2.51 ipsec-attributes
pre-shared-key my_secret_key

6. Configure crypto map and attach to interface

crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer 195.42.2.51
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside

7. Enable isakmp on interface

crypto isakmp enable outside

If you want to monitor and troubleshoot you need to know this commands:

Phase 1: sh crypto isakmp sa detail

Phase 2: sh crypto ipsec sa

If you still have trouble with the tunnel, try debugging phase 1 and 2:

debug crypto engine 127
debug crypto isakmp 127
debug crypto ipsesc 127

—————————————————————————————————————————-

If you feel this article helped you to get some learning, please support by clicking below.

paypal-button

Advertisements