Cisco ASA site to site VPN break down: PART 1

Cisco ASA site to site VPN break down: PART 1

Lets Create a site to site VPN between two locations as shown below:

Configurations are given below with each component breakdown:

1.Enable isakmp outside

crypto isakmp enable outside

This parts relates to phase 1 of the VPN. IKE is a protocol  we uses to establish a shared security policy for exchanges of keys for services like IPsec. ISAKMP is a part of IKE which makes up the rules for this negotiation. It is to be noted that there are also other components that makes up the IKE. In Cisco world we often see ISAKMP and IKE used as synonymously.

Using this command we are enabling ISAKMP in the outside interface of ASA.

2. Create intresting traffic acl ( Crypto acl)

 access-list vpn_access extended permit ip object net-local object net-remote

Interesting traffic ACL defines which traffic should be passed via VPN. As you can see I have used object as source and destination. It is always more convenient to use object-group in the interesting traffic ACL. The advantage is that

You can always add additional object/subnet in the object-group, no changes required in original acl.

3. Create a tunnel group and define attributes

tunnel-group 110.110.10.2 type ipsec-l2l

tunnel-group 110.110.10.2 ipsec-attributes

ikev1 pre-shared-key 123456

isakmp keepalive threshold 10 retry 2

 

Tunnel group used to define the details of VPN such type or its attributes. There are two attributes for tunnel group.

• General attributes
• VPN Specific

In this example since it is a site to site VPN it is mandatory to use remote peer IP as tunnel group name. Also we have specified its type as ipsec-l2l, which means it is a site to site ipsec vpn. In the second line we are providing the ipsec –attributes/VPN specific attributes such as pre-shared key and re-try times etc.

4. Create ikev1 policy

 crypto ikev1 policy 10

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

 ex

ikev1 policy is used for Phase 1 negotiation. Various parameters such as authentication type, encryption, hashing, DH group etc. are specified here.

5. Create a tranform set

 

crypto ipsec ikev1 transform-set set1 esp-3des esp-sha-hmac

A transform set contains phase 2 parameters to set up a tunnel. Here we defined a transform set named set1 with its parameters.

6. Create a crypto map

 crypto map map1 10 match address vpn_access

 crypto map map1 10 set pfs group1

 crypto map map1 10 set peer 110.110.10.2

 crypto map map1 10 set ikev1 transform-set set1

 crypto map map1 interface outside

In Crypto map we combines interesting traffic acl, transform set used, peer ip address and apply it on the outside interface.

7. Exempt interesting traffic acl from NAT.

 nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

This NAT statement make sure that traffic that is going to VPN is exempted from the NAT. However there are situations in which we need to NAT the VPN traffic. Which we will explain later.