Site-to-Site secure VPN
tunnel using the ASA (Adaptive Security
Appliances) enables an encrypted connection
between private networks over a public network such as the internet.
Basic steps for VPN Configuration:
1- First define the ISAKMP Policy.
For example:
· Authentication
2- Establish IPsec transform set.
For example:
·
Esp-des
-
Esp-md5-hmac
-
Esp-aes
-
Asp-sha-hmac
3- Configure crypto access list.
For example:
Define interesting traffics
4- Configure crypto map
Used to verify the
previously defined parameters
5- Now apply crypto map on the outside interface.
Used to verify the outgoing interface traffic
Configuration of ASA on side A
First defined the IKE polices on ASA-A
ASA-A(config)#crypto isakmp policy 10
(10 is isakmp policy number)
ASA-A(config-isakmp)#encryption des
(enable encryption des)
ASA-A(config-isakmp)#hash md5
(enable
algorithm md5 for hashing)
ASA-A(config-isakmp)#authentication pre-share
(enable Pre-shared method)
ASA-A(config-isakmp)#group 2
(enable diffie-Helman group 2)
ASA-A(config-isakmp)#exit
(Exit from crypto isakmp mode)
-
The next step is to create a pre-shared key (password)
on ASA - A.
ASA-A(config)#crypto isakmp key office address 20.1.1.20
(Here Key is "office" and 20.1.1.20 is ASA - B Address)
-
Now create an access list to define only interesting
traffic.
ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host
20.1.1.20
(100 is access list number and 20.1.1.10 is source address and
20.1.1.20 is destination address.)
-
Now create the transform-set for encryption and hashing.
ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(Here encryption type is des and hashing technique is md5-hmac)
ASA-A(config)#crypto map imap 10 ipsec-isakmp
(crypto map name imap)
ASA-A(config)# crypto map imap 10
match address 100
(apply the access list)
ASA-A(config)# crypto map imap 10
set transform-set ts2
(apply the transform set)
ASA-A(config)# crypto map imap 10
set peer 20.1.1.20
(Set remote peer address)
-
Now apply the crypto map to the ASA - A interface
ASA-A(config)#
crypto map imap interface outside
(Apply crypto map on outside interface)
ASA-A(config)# crypto isakmp enable outside
(To enable crypto isakmp on ASA)
Configuration of ASA on side B
First defined the IKE polices on ASA-B
ASA-B(config)#crypto isakmp policy 10
(10 is isakmp policy number)
ASA-B(config-isakmp)#encryption des
(enable encryption des)
ASA-B(config-isakmp)#hash md5
(enable
algorithm md5 for hashing)
ASA-B(config-isakmp)#authentication pre-share
(enable Pre-shared method)
ASA-B(config-isakmp)#group 2
(enable diffie-Helman group 2)
ASA-B(config-isakmp)#exit
(Exit from crypto isakmp mode)
-
The next step is to create a pre-shared key (password)
on ASA - B.
ASA-B(config)#crypto isakmp key office address 20.1.1.10
(Here Key is "office" and 20.1.1.10 is ASA - A Address)
-
Now create an access list to define only interesting
traffic.
ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host
20.1.1.10
(100 is access list number and 20.1.1.20 is source address and
20.1.1.10 is destination address.)
-
Now create the transform-set for encryption and hashing.
ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac
(Here encryption type is des and hashing technique is md5-hmac)
ASA-B(config)#crypto map imap 10 ipsec-isakmp
(crypto map name imap)
ASA-B(config)# crypto map imap 10
match address 100
(apply the access list)
ASA-B(config)# crypto map imap 10
set transform-set ts2
(apply the transform set)
ASA-B(config)# crypto map imap 10
set peer 20.1.1.10
(Set remote peer address)
-
Now apply the crypto map to the ASA - B outside
interface
ASA-B(config)#
crypto map imap interface outside
(Apply crypto map on outside interface)
ASA-B(config)# crypto isakmp enable outside
(To enable crypto isakmp on ASA)
Now to verify the secure tunnel, ping to other remote location.
ASA-B(config)# ping 20.1.1.10
COMPUTER TIPS