# Cisco ASA Site to Site

##### Verification: NAT or transparent mode

<p class="callout info">Value should return ( Firewall mode: Router )</p>

<div id="bkmrk-show-firewall">```
show firewall
```

</div><p class="callout danger">**Always do a backup!!!**</p>

```shell
copy running-config disk0:/running-config-backup-DDMMYYYY
```

## ACL / No NAT Rules

Change net-local and and remote for local and remote IP

<p class="callout warning">You do not need to create a object for the LAN if you already have one for another tunnel // You also **can not** have 2 tunnels with the same remote IP's</p>

```shell
object-group network net-local
network-object 10.1.2.0 255.255.255.0
object-group network net-remote
network-object 192.168.1.0 255.255.255.0
```

Create a cryptomap ACL

```shell
access-list outside_1_cryptomap extended permit ip object-group net-local object-group net-remote
```

Allow traffic between the two sites to bypass NAT

<p class="callout warning">Always check the name of interface on the port channel, the tunnel will not work if your interface is named inside3</p>

```shell
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
```

## IKEV1 - Route based

```
tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
 ikev1 pre-shared-key *****

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 lifetime 3600
 group 5

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec profile vpn1
 set ikev1 transform-set ESP-AES-256-SHA
 set security-association lifetime seconds 3600

interface Tunnel1
 nameif int-vpn1
 ip address 192.168.0.1 255.255.255.252 
 tunnel source interface outside
 tunnel destination 199.168.1.100
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vpn1

access-list vpn1-inbound extended permit ip any any
access-list vpn1-outbound extended permit ip any any
access-group vpn1-inbound in interface int-vpn1
access-group vpn1-outbound out interface int-vpn1

route int-vpn1 10.10.10.0 255.255.255.0 192.168.0.2 1
```

## IKEV1 - Policy based

Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)

```shell
tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
pre-shared-key INSERT_SECURE_PRE_SHARED_KEY_HERE
```

Declare the most common transform sets (only do once).

```shell
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
```

Phase 1 parameters

```shell
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
### Enable ikev1 on the outside interface - THIS JUST NEED TO BE CONFIGURED ONCE YOU SETUP THE FIRST VPN
crypto ikev1 enable outside
crypto ikev1 am-disable #(// Main mode remove this line for aggressive mode)
```

Enable ikev1 on the outside interface -**THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN**

```
crypto ikev1 enable outside
```

Set main mode // Do not include this line for aggressive mode

<p class="callout danger">This is a global setting, if you add the line bellow in a ASA that contains a tunnel that uses aggressive mode, it will break the other tunnel</p>

```
crypto ikev1 am-disable
```

Phase 2 parameters

<p class="callout warning">If you remove the ACL used by a tunnel, it will **remove** the line crypto map outside\_map 1 match address ACL\_NAME // Only set **PFS** if configured on the remote side, else skip the line</p>

```shell
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set security-association lifetime seconds 3600
```

Enable the crypto map in the outside interface - **THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN**

```entry-title
crypto map outside_map interface outside
```

## IKEV2

Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)

```
group-policy GroupPolicy_IKEv2 internal
group-policy GroupPolicy_IKEv2 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2

tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 general-attributes
default-group-policy GroupPolicy_IKEv2
tunnel-group 199.168.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***
```

Declare the transform sets

```
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
```

Phase 1 parameters

```
crypto ikev2 policy 20 
encryption aes-256
integrity sha
group 2
prf sha 
lifetime seconds 86400
```

Phase 2 parameters

```entry-title
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set ikev2 ipsec-proposal ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto ikev2 enable outside
```

## NAT

If the request needs to go over the nated IP, do no use the ACL / Nat rules above, configure something like this:

```
nat (INSIDE,OUTSIDE) source static PRENAT_IP POSTNAT_IP destination static DESTINATION_IP DESTINATION_IP
```

```
access-list outside_1_cryptomap extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP
```

# Troubleshooting/Debug

Useful links:

- [http://www.cisco.com/en/US/products/ps6120/products\_tech\_note09186a00807e0aca.shtml#solunf](http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solunf)
- [http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf\_gd/ike.html](http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ike.html)
- [http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa\_90\_cli\_config/vpn\_ike.html#pgfId-1042302](http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_ike.html#pgfId-1042302)

Test connection (Run command 2x)

```
packet-tracer input inside icmp 10.1.2.100 8 0 192.168.1.100
```

Check IKEV1 Logs

```
debug crypto ikev1 127
```

Check IKEV2 Logs

```
debug crypto ikev2 protocal
```

Clear tunnel session

```
clear isakmp sa
```

Find pre-shared key

```
more system:running-config | grep pre-shared
```

Check basic VPN session information

```
sh isakmp sa
```

Check details on VPN session (Detailed)

```
show vpn-sessiondb detail ra-ikev1-ipsec
```

Capture traffic for the ACL related to the VPN

```
capture test access-list outside_1_cryptomap interface inside real-time
```

<p class="callout success">Once you are done, always remember to save your config</p>