There are multiple parts to the IPSEC SIte-to-Site VPN config.
– Create access list to specify what will be encrypted
– Create access list to specify what should go over the VPN, and not be natted
– Create Phase 1 (IKE) settings and apply it to the selected interface.
– Create our transformation set (what encryption settings we will use for phase 2).
– Create Phase 2 (ESP) settings otherwise known as a Crypto map.
– Apply Crypto map settings specifying interface.
– Create the tunnel object for peer.
Config:
ASA 1 Core
Create Objects
First create the objects representing what will be found on each side of the VPN.
config t
object network Local-Subnet
subnet 10.100.1.0 255.255.255.0
object network Remote-Subnet
subnet 10.100.2.0 255.255.255.0
Encryption Access-list
Next I will create the Access list to tell the firewall what to Encrypt
access-list VPN-to-Remote extended permit ip object Local-Subnet Remote-Subnet
Now we need to make sure traffic is not being forwarded out of our WAN interface, and that the firewall knows to send it over the VPN. We do this with a “No-Nat” statement. This is different than what it once was in 8.2 and below. We will specify this with a different kind of nat statement.
No NAT
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Remote-Subnet Remote-Subnet
IKE Settings
Now its time for the VPN settings!
First lets create our IKE settings and enable it on the outside interface.
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Create the IPSEC transformation
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
Crypto MAP (Phase 2)
Now lets create our Crypto map and put it all together.
crypto map VPN 10 match address VPN-to-Remote
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.2
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
There are a few optional settings like the lifetime, by default its 28800. In this config I am just making it known that’s what its set on. Also you can set “reverse-route” which will add the route to the remote subnet into the routing table. This way you can push it out in a routing protocol.
We will also need to apply the Crypto map to the interface.
crypto map VPN interface outside
Tunnel Group/PSK
Our last step is to create the tunnel group with our Peer IP/DNS name and set the PSK.
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes
ikev1 pre-shared-key presharedkey
Below is the config for the Remote side
config t
object network Local-Subnet
subnet 10.100.2.0 255.255.255.0
object network Core-Subnet
subnet 10.100.1.0 255.255.255.0
access-list VPN-to-Remote extended permit ip object Local-Subnet Core-Subnet
nat (inside,outside) source static Local-Subnet Local-Subnet destination static Core-Subnet Core-Subnet
crypto ipsec ikev1 transform-set transfrom esp-3des esp-sha-hmac
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto map VPN 10 match address VPN-to-Core
crypto map VPN 10 set pfs
crypto map VPN 10 set peer 1.1.1.1
crypto map VPN 10 set ikev1 transform-set transfrom
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
crypto map VPN interface outside
tunnel-group 1.1.1.1type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key presharedkey
Recent Comments