COMPUTER TIPS

How to configure site-to-site VPN tunnel using ASA?

 

 

Site-to-Site secure VPN tunnel using the ASA (Adaptive Security Appliances) enables an encrypted connection between private networks over a public network such as the internet. 

Basic steps for VPN Configuration: 

1- First define the ISAKMP Policy.

For example:

•  Authentication

• Hash

• Encryption

• Group

2- Establish IPsec transform set.

For example:

 ·  Esp-des

• Esp-md5-hmac
• Esp-aes
• Asp-sha-hmac

3- Configure crypto access list.

For example:         Define interesting traffics

4- Configure crypto map

     Used to verify the previously defined parameters 

5- Now apply crypto map on the outside interface.

     Used to verify the outgoing interface traffic

Configuration of ASA on side A 

First defined the IKE polices on ASA-A 

ASA-A(config)#crypto isakmp policy 10

(10 is isakmp policy number) 

ASA-A(config-isakmp)#encryption des 

(enable encryption des) 

ASA-A(config-isakmp)#hash md5

(enable algorithm md5 for hashing) 

ASA-A(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-A(config-isakmp)#group 2   

(enable diffie-Helman group 2)    

ASA-A(config-isakmp)#exit  

(Exit from crypto isakmp mode)

• The next step is to create a pre-shared key (password) on ASA - A.

ASA-A(config)#crypto isakmp key office address 20.1.1.20

(Here Key is "office" and 20.1.1.20 is ASA - B Address)

• Now create an access list to define only interesting traffic.

ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20

(100 is access list number and 20.1.1.10 is source address and 20.1.1.20 is destination address.) 

• Now create the transform-set for encryption and hashing.

ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-A(config)#crypto map imap 10 ipsec-isakmp 

(crypto map name imap) 

ASA-A(config)# crypto map imap 10 match address 100   

(apply the access list)

ASA-A(config)# crypto map imap 10 set transform-set ts2

(apply the transform set) 

ASA-A(config)# crypto map imap 10 set peer 20.1.1.20 

(Set remote peer address)

• Now apply the crypto map to the ASA - A interface

ASA-A(config)# crypto map imap interface outside

 (Apply crypto map on outside interface)

ASA-A(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA)

 

Configuration of ASA on side B 

First defined the IKE polices on ASA-B 

ASA-B(config)#crypto isakmp policy 10

(10 is isakmp policy number) 

ASA-B(config-isakmp)#encryption des 

(enable encryption des) 

ASA-B(config-isakmp)#hash md5

(enable algorithm md5 for hashing) 

ASA-B(config-isakmp)#authentication pre-share

(enable Pre-shared method)

ASA-B(config-isakmp)#group 2   

(enable diffie-Helman group 2)    

ASA-B(config-isakmp)#exit  

(Exit from crypto isakmp mode)

• The next step is to create a pre-shared key (password) on ASA - B.

ASA-B(config)#crypto isakmp key office address 20.1.1.10

(Here Key is "office" and 20.1.1.10 is ASA - A Address)

• Now create an access list to define only interesting traffic.

ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10

(100 is access list number and 20.1.1.20 is source address and 20.1.1.10 is destination address.) 

• Now create the transform-set for encryption and hashing.

ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac

(Here encryption type is des and hashing technique is md5-hmac)

ASA-B(config)#crypto map imap 10 ipsec-isakmp 

(crypto map name imap) 

ASA-B(config)# crypto map imap 10 match address 100   

(apply the access list)

ASA-B(config)# crypto map imap 10 set transform-set ts2

(apply the transform set) 

ASA-B(config)# crypto map imap 10 set peer 20.1.1.10 

(Set remote peer address)

• Now apply the crypto map to the ASA - B outside interface

ASA-B(config)# crypto map imap interface outside 

(Apply crypto map on outside interface)

ASA-B(config)# crypto isakmp enable outside

(To enable crypto isakmp on ASA) 

Now to verify the secure tunnel, ping to other remote location. 

ASA-B(config)# ping 20.1.1.10

      

Suggested Reading

•  Break or recover the router password

•  Routing Information Protocol (RIP) Configuration

•  Point-To-Point Leased Line Implementation

•  How to configure Stub area in OSPF protocol?

• How to configure site-to-site VPN tunnel using ASA? New

•  Router basic Troubleshooting Tips

• How to protect EIGRP router from receiving unsigned routing updates?

 

• How to configure Totally Stub Area in OSPF protocol?

• How to configure BGP between two different autonomous systems?

• How to configure virtual link between different areas in OSPF?

• How to perform unequal-cost load balancing using EIGRP?

•  How to configure Site-to-Site IPsec VPN?

•  How configure EIGRP authentication to prevent unauthorized   access?

• How to configure BGP with weight attribute? New

•  How to configure OSPF step by step?

• How to perform configuration and convergence between RIP and IGRP protocols?

•  How to configure OSPF with multiple areas?

 

•  Interior Gateway Routing Protocol (IGRP) Configuration

•  Extended IP Access Control List

•  Enhanced Interior Gateway Routing Protocol (EIGRP) Configuration

•  Useful Router commands and configuration

•  Standard IP Access Control List

•  Common Frame Relay Configuration

•  Integrated Services Digital Network (ISDN)