Cisco ASA site to site VPN

Setup ASA Site to Site VPN:

This is a guide to setup Cisco ASA site to site VPN, I am connection out to a remote peer of 1.1.1.1. In reality this will be your remote public IP

Setup your crypto ipsec proposal’s

crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
 crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
 crypto ipsec security-association pmtu-aging infinite

!
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
 crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

 

Now create your access list for the remote local network, in this case i’ve called access-list WAN_cryptomap_3

access-list WAN_cryptomap_3 extended permit ip object 192.168.1.0 object 192.168.17.0_24

Now create the Site to Site policy, enter the public address you want to setup your tunnel to. In this case I am using a dummy IP of 1.1.1.1 as i don’t want to give out my real public addresses.
1.1.1.1 is the public address of the peer. You need to reference the access-list you created before hand (WAN_cryptomap_3)

crypto map WAN_map 3 match address WAN_cryptomap_3
 crypto map WAN_map 3 set peer 1.1.1.1
 crypto map WAN_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
 crypto map WAN_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

Now create the IPSEC polices for the pre-shared key and connection attributes, i.e encryption, lifetime ect…

group-policy GroupPolicy_1.1.1.1 internal
 group-policy GroupPolicy_1.1.1.1 attributes
  vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
 tunnel-group 1.1.1.1 general-attributes
  default-group-policy GroupPolicy_1.1.1.1
 tunnel-group 1.1.1.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 local-authentication pre-shared-key *****

 crypto ca trustpool policy
 crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400

Lastly you need to create a NAT rule to tell the firewall NOT to NAT the traffic for the remote destination network

nat (WAN,WAN) source static 192.168.1.0 192.168.1.0 destination static 192.168.17.0_24 192.168.17.0_24 no-proxy-arp route-lookup

Leave a Reply

Your email address will not be published. Required fields are marked *