How to Configure Site to Site IPSec VPN On CISCO ASA Firewall

In this Tutorial, we will learn How to  Configure Site to Site IPSec VPN On CISCO ASA Firewall. We will configure IPSec VPN using Command Line on ASA v8.4 Firewall. As we know that IPSec VPN used to make secure communication between Sites, LAN or Branches over Internet. Its provide Confidentiality, Integrity and authenticity.

First of all we need to understand of topology (below Image). There is two Sites- Site A and Site B, both Sites ASA firewall interfaces should be configure with IP Addresses. Also Site A outside Interface should be reachable with Site B outside Interface.

Configure Site to Site IPSec VPN On CISCO ASA Firewall

Configure Site to Site IPSec VPN On CISCO ASA Firewall

 

Read Also

 

 

 

 

Site-A ASA Firewall Configuration

  1. First of all Enable IKEv1 on the Outside Interface of Site-A ASA firewall, If Already enabled then no need to enable again.

Site-A(config)# crypto ikev1 enable outside

2. Now we need to Configure Phase-1 Parameters, There is 5 Parameters we need to define- Encryption Method, Hashing Algorithm, Group, Authentication Method and Lifetime.

 

Site-A(config)# crypto ikev1 policy 2  
Site-A(config-ikev1-policy)# encryption aes
Site-A(config-ikev1-policy)# hash sha
Site-A(config-ikev1-policy)# group 2
Site-A(config-ikev1-policy)# authentication pre-share

Site-A(config-ikev1-policy)# lifetime 86400

3. Now we need to create Tunnel Group, The Tunnel group name will be Site-B ASA firewall Outside IP Address (In my case Tunnel group name will be -4.2.2.2). Also will have to create Pre-Shared Key.

Site-A(config)# tunnel-group 4.2.2.2 type ipsec-l2l
Site-A(config)# tunnel-group 4.2.2.2 ipsec-attributes
Site-A(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123

4. Now will have to create Extended Access-List, Define that which interesting traffic pass through the IPSec VPN tunnel.

Site-A(config)# access-list 1 permit ip 150.1.1.0 255.255.255.0 160.1.1.0 255.255.255.0

5. Now Configure IPSec Transform Set for Phase 2 Tunnel- need to define Encryption and Hashing Algorithm. Where rock name of the Transform Set.

Site-A(config)# crypto ipsec ikev1 transform-set rock esp-aes esp-sha-hmac

6.  Now Create Crypto MAP to map above configuration together. Where MAAHI name of the crypto map.

Site-A(config)# crypto map MAAHI 10 match address 1
Site-A(config)# crypto map MAAHI 10 set peer 4.2.2.2
Site-A(config)# crypto map MAAHI 10 set ikev1 transform-set rock
Site-A(config)# crypto map MAAHI 10 set pfs

7. Now Apply Crypto MAP to the Site-A ASA Firewall Outside Interface.

Site-A(config)# crypto map MAAHI interface outside

 

Now You have to save Configuration. 

Site-A(config)# write memory

Configure IPSec VPN on ASA Firewall

 

 

Site-B ASA Firewall Configuration

 

Site-B(config)# crypto ikev1 enable outside

Site-B(config)# crypto ikev1 policy 2  
Site-B(config-ikev1-policy)# encryption aes
Site-B(config-ikev1-policy)# hash sha
Site-B(config-ikev1-policy)# group 2
Site-B(config-ikev1-policy)# authentication pre-share
Site-B(config-ikev1-policy)# lifetime 86400

 

 

Site-B(config)# tunnel-group 4.2.2.1 type ipsec-l2l.
Site-B(config)# tunnel-group 4.2.2.1 ipsec-attributes.
Site-B(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123.

Site-B(config)# access-list 1 permit ip 160.1.1.0 255.255.255.0 150.1.1.0 255.255.255.0.

Site-B(config)# crypto ipsec ikev1 transform-set rock esp-aes esp-sha-hmac.

Site-B(config)# crypto map MAAHI 10 match address 1.
Site-B(config)# crypto map MAAHI 10 set peer 4.2.2.1.
Site-B(config)# crypto map MAAHI 10 set ikev1 transform-set rock.
Site-B(config)# crypto map MAAHI 10 set pfs.

Site-B(config)# crypto map MAAHI interface outside.

Site-B(config)# write memory

Now Site to Site IPSec VPN has been configure on both firewall. Now you can Initiate traffic from inside LAN and check is it pass through the VPN or not.

 

Troubleshooting

Command to  IKEv1 SA (Phase -1) 

Site-A(config)# show crypto ikev1 sa

Command to Check IPSec SA (Phase-2)

Site-A(config)# show crypto ipsec sa

 

Related Post

Share This onShare on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on StumbleUponShare on Google+Pin on PinterestBuffer this pageShare on Tumblr
Rakesh Kumar
at
Rakesh Kumar is a Network engineer and a Blogger. He is crazy for learn and write about Technology , Tech and Computer Tips and Tricks Blog.

Leave a Reply