Thinktank Blog
Cisco· 11.08.15
Cisco ASA 5506-X Site to Site IPSec VPN Tunnel Config
  • Jonathan Granados

 

Cisco ASA 5506-X Site to Site IPSec VPN Tunnel Config

Hello all,
In this post we will discuss configuring an IPSec VPN tunnel in between 2 cisco Devices. We will provide you with the Cisco ASA 5506-X 9.4 Site to Site IPSec VPN Tunnel Configuration below. For this Demonstration we will be using two Cisco 5506-X firewalls. We will be using the latest Cisco OS for this demonstration.
Cisco Adaptive Security Appliance Software Version 9.4(1)
Device Manager Version 7.4(1)

Before you start. You need to ask yourself “Do I already have any IPSEC VPN’s configured on this firewall?”. Because if you already have any Crypto maps configured you will need to keep the same naming convention for the crypto map. Below we use the map name SRG_VPN, if you have any other VPN configs keep the same name but change the order.

We are using SRG_VPN crypto map for the name and this is policy 1. If you already have a policy 1 then create a policy 2 with the same crypto map name. If you create a new map and attach the crypto map to the interface then your previous VPN connections will be disconnected. You attach the crypto map to the interface by running the last command below.

crypto map SRG_VPN 1 match address site-a-acl
crypto map SRG_VPN 1 set pfs
crypto map SRG_VPN 1 set peer SRG-Site-B
crypto map SRG_VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map SRG_VPN interface outside (<—-Apply’s map to outside interface)

This diagram illustrates what the network will look like once the VPN tunnel is configured.

Cisco ASA 5506-X Site to Site IPSec VPN Tunnel Config Diagram

For this demonstration we will be using the following subnet scheme.

Site A:
Internal: 192.168.0.1/24
External: 20.20.20.20/32

Site B:
Internal: 192.168.1.0/24
External: 30.30.30.30/32

Below is the basic config that will get you up and running… This configuration also includes DHCP for the internal network.

COPY AND PASTE CONFIG,
1. Don’t forget to change your outside/inside interface to match your IP address.
2. I’ve created “names” matching to public IP address of the peer device to match a name, Don’t forget to change your “names” to match your peer address and name.

Site A Config:
SRG-ASA-Site-A# show run
:
ASA Version 9.4(1)
!
hostname SRG-ASA-Site-A
names
name 30.30.30.30 SRG-Site-B
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 20.20.20.20 255.255.255.255
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
object network NETWORK_0.0.0.0_0
subnet 0.0.0.0 0.0.0.0
object network NETWORK_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
!
access-list outside_access_in extended permit ip host 30.30.30.30 any
access-list site-b-acl extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0
!
nat (inside,outside) 1 source static NETWORK_192.168.0.0_24 NETWORK_192.168.0.0_24 destination static NETWORK_192.168.1.0_24 NETWORK_192.168.1.0_24
!
object network NETWORK_0.0.0.0_0
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
!
sla monitor 1
type echo protocol ipIcmpEcho 192.168.1.1 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
!
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set L2TP-tunnel esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-tunnel mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65533 set ikev1 transform-set L2TP-tunnel ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65534 set ikev1 transform-set myset ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map SRG_VPN 1 match address site-b-acl
crypto map SRG_VPN 1 set pfs
crypto map SRG_VPN 1 set peer SRG-Site-B
crypto map SRG_VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map SRG_VPN interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 5
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 200
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd domain surge.local interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group 30.30.30.30 type ipsec-l2l
tunnel-group 30.30.30.30 ipsec-attributes
ikev1 pre-shared-key SECRETKEY
isakmp keepalive threshold 10 retry 3
!

Site B Config:
SRG-ASA-Site-B# show run
:
ASA Version 9.4(1)
!
hostname SRG-ASA-Site-B
names
name 20.20.20.20 SRG-Site-A
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 30.30.30.30 255.255.255.255
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
object network NETWORK_0.0.0.0_0
subnet 0.0.0.0 0.0.0.0
object network NETWORK_192.168.0.0_24
subnet 192.168.0.0 255.255.255.0
object network NETWORK_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
!
access-list outside_access_in extended permit ip host 20.20.20.20 any
access-list site-a-acl extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
!
nat (inside,outside) 1 source static NETWORK_192.168.1.0_24 NETWORK_192.168.1.0_24 destination static NETWORK_192.168.0.0_24 NETWORK_192.168.0.0_24
!
object network NETWORK_0.0.0.0_0
nat (any,outside) dynamic interface
access-group outside_access_in in interface outside
!
sla monitor 1
type echo protocol ipIcmpEcho 192.168.0.1 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
!
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set L2TP-tunnel esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-tunnel mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65533 set ikev1 transform-set L2TP-tunnel ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65534 set ikev1 transform-set myset ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map SRG_VPN 1 match address site-a-acl
crypto map SRG_VPN 1 set pfs
crypto map SRG_VPN 1 set peer SRG-Site-A
crypto map SRG_VPN 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map SRG_VPN interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 policy 5
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 enable inside
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 5
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 200
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
!
dhcpd address 192.168.1.100-192.168.1.200 inside
dhcpd domain surge.local interface inside
dhcpd update dns interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev1 pre-shared-key SECRETKEY
isakmp keepalive threshold 10 retry 3
!

Now we can check the Site to Site IPSec VPN Tunnel Config from Site-A to Site-B

SRG-ASA-Site-A# show crypto ikev1 sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: SRG-Site-B
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
SRG-ASA-Site-A#

There’s no need to check the tunnel on Site-B firewall since the state shows as MM_ACTIVE on Site-A firewall.

It’s very important to remember your ACL and NAT statements otherwise non of the crypto configurations will matter if the traffic doesn’t know where to go. If you run into any problems enable logging by running the following commands.

logging enable
logging timestamp
logging standby
logging buffer-size 987451
logging monitor debugging
logging buffered debugging
logging trap debugging
logging asdm debugging

You can also run a packet tracer by running the following command.

packet-tracer input inside icmp <source> 8 0 <destination>

For more information please visit http://www.cisco.com.
Thank you for reading Cisco ASA 5506-X Site to Site IPSec VPN Tunnel Config and enjoy your newly established VPN tunnel!

-Jonathan Granados

Rotate Your Phone To Portrait Mode