Cisco ASA Site to Site
Verification: NAT or transparent mode
Value should return ( Firewall mode: Router )
show firewall
Always do a backup!!!
copy running-config disk0:/running-config-backup-DDMMYYYY
ACL / No NAT Rules
Change net-local and and remote for local and remote IP
You do not need to create a object for the LAN if you already have one for another tunnel // You also can not have 2 tunnels with the same remote IP's
object network net-local
subnet 10.1.2.10 255.255.255.0
object network net-remote
subnet 192.168.1.1 255.255.255.0
Create a cryptomap ACL
access-list outside_1_cryptomap extended permit ip object net-local object net-remote
Allow traffic between the two sites to bypass NAT
Always check the name of interface on the port channel, the tunnel will not work if your interface is named inside3
nat (inside,outside) source static net-local net-local destination static net-remote net-remote
IKEV1
Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)
tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 ipsec-attributes
pre-shared-key INSERT_SECURE_PRE_SHARED_KEY_HERE
Declare the most common transform sets (only do once).
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Phase 1 parameters
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
### Enable ikev1 on the outside interface - THIS JUST NEED TO BE CONFIGURED ONCE YOU SETUP THE FIRST VPN
crypto ikev1 enable outside
crypto ikev1 am-disable #(// Main mode remove this line for aggressive mode)
Enable ikev1 on the outside interface -THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN
crypto ikev1 enable outside
Set main mode // Do not include this line for aggressive mode
This is a global setting, if you add the line bellow in a ASA that contains a tunnel that uses aggressive mode, it will break the other tunnel
crypto ikev1 am-disable
Phase 2 parameters
If you remove the ACL used by a tunnel, it will remove the line crypto map outside_map 1 match address ACL_NAME // Only set PFS if configured on the remote side, else skip the line
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set security-association lifetime seconds 3600
Enable the crypto map in the outside interface - THIS JUST NEED TO BE DONE ON THE FIRST IKEV1 VPN
crypto map outside_map interface outside
IKEV2
Create the tunnel group, and configure the pre-shared key. (In ex; 199.168.1.100 = Remote WAN)
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
group-policy GroupPolicy_IKEv2 internal
group-policy GroupPolicy_IKEv2 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev2
tunnel-group 199.168.1.100 type ipsec-l2l
tunnel-group 199.168.1.100 general-attributes
default-group-policy GroupPolicy_IKEv2
tunnel-group 199.168.1.100 ipsec-attributes
ikev2 remote-authentication pre-shared-key ***
ikev2 local-authentication pre-shared-key ***
Declare the transform sets
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
Phase 1 parameters
crypto ikev2 policy 20
encryption aes-256
integrity sha
group 2
prf
sha
lifetime seconds 86400
Phase 2 parameters
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 199.168.1.100
crypto map outside_map 1 set ikev2 ipsec-proposal ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto ikev2 enable outside
NAT
If the request needs to go over the nated IP, do no use the ACL / Nat rules above, configure something like this:
nat (INSIDE,OUTSIDE) source static PRENAT_IP POSTNAT_IP destination static DESTINATION_IP DESTINATION_IP
access-list outside_1_cryptomap extended permit ip host NATTED_SOURCE_IP host NATTED_DESTINATION_IP
Debug
debug crypto ikev1 127
debug crypto ikev2 protocal
clear isakmp sa
more system:running-config | grep pre-shared
show vpn-sessiondb detail ra-ikev1-ipsec
capture test access-list outside_1_cryptomap interface inside real-time
Once you are done, always remember to save your config