Skip to main content

Cisco ASA Site to Site

Verification: NAT or transparent mode

Value should return ( Firewall mode: Router )

show firewall

Create a Backup

copy running-config disk0:/running-config-backup-DDMMYYYY

Change net-local and and remote for local and remote ip

object network net-local
subnet 10.1.2.10 255.255.255.0
object network net-remote
subnet 192.168.1.1 255.255.255.0

Create a cryptomap ACL

access-list outside_1_cryptomap extended permit ip object net-local object net-remote

Allow traffic between the two sites to bypass NAT

nat (inside,outside) source static net-local net-local destination static net-remote net-remote

Create the tunnel group, and configure the pre-shared key. (199.168.1.100 = Remote WAN)

tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
pre-shared-key INSERT_SECURE_PRE_SHARED_KEY_HERE

Declare the most common transform sets.

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Phase 1 parameters

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
### Enable ikev1 on the outside interface - THIS JUST NEED TO BE CONFIGURED ONCE YOU SETUP THE FIRST VPN
crypto ikev1 enable outside
crypto ikev1 am-disable #(// Main mode remove this line for aggressive mode)

Phase 2 parameters

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set pfs group2 // REMOVE THIS LINE IF THE CLIENT DOES NOT USE PFS ON THEIR SIDE.
crypto map outside_map 1 set security-association lifetime seconds 3600
### Enable the crypto map in the outside interface - THIS JUST NEED TO BE CONFIGURED ONCE YOU SETUP THE FIRST VPN
crypto map outside_map interface outside
write memory
IKEV2
group-policy GroupPolicy_IKEv2 internal
group-policy GroupPolicy_IKEv2 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2
 
tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 general-attributes
default-group-policy GroupPolicy_IKEv2
tunnel-group 199.168.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***

!---Configure phase 1 crypto policy (for IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption)
crypto ikev2 policy 20 
encryption aes-256 
integrity sha256 
group 5
prf 
sha 
lifetime seconds 86400

!---Enable ikev1 on the outside interface, set main mode
crypto ikev2 enable outside

crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA-256
protocol esp encryption aes-265
protocol esp integrity sha-256
NAT

To keep natĀ configuration behind site2site (Never do this unless requested)

nat (INSIDE,OUTSIDE) source static PRENAT_IP POSTNAT_IP destination static DESTINATION_IP DESTINATION_IP
access-list CRYPTOACL extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP
Debug
debug crypto ikev1 127
clear isakmp sa
more system:running-config | grep pre-shared
show vpn-sessiondb detail ra-ikev1-ipsec
Back to top