How to Configure a Cisco ASA Site-to-Site IPSec VPN

This article will explain how to configure a Site-to-Site IPSec VPN using Cisco ASA 55XX’s using IKEV1.  My example below shows how to configure VPN’s between 3 sites but can be modified for the following scenarios without much explanation:

  • site-to-site VPN between 2 sites (Just remove SiteC… duh!)
  • site-to-site to 3+ sites (just follow the example and modify for a N+1 sites.  If You’re doing more than 3 sites, you may wish to look at a hub and spoke model to simply the network and backups, etc)
  • Hub and spoke VPN, where 2 remote offices only connect to a main office (If SiteA is the Hub, on SiteB remove the SiteC configuration, on SiteC remove the SiteB configuration, etc…)

Overview

Network Diagram

ASA_Multi_Site-to-site_IPSEC_VPN

Network Diagram

Phase 1 Settings

Attribute Value
Authentication Preshared Keys
Encryption 3DES
Hash MD5
DH Group Group 2
Lifetime 86400 seconds

Phase 2 Settings

Attribute Value
Mode Tunnel
Encryption 3DES
Hash SHA-1
PFS Enabled
Lifetime 86400 seconds

Configure SiteA

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteA
config t
object-group network obj-local
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteB
config t
object-group network obj-SiteB
network-object 10.0.2.0 255.255.255.0
end
!Create Object for Remote LAN SiteC
config t
object-group network obj-SiteC
network-object 10.0.3.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteB
config t
access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB
end
!Configure VPN ACL SiteC
config t
access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteB
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteC
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.3 type ipsec-l2l
tunnel-group 1.1.1.3 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 2 match address ACL_SiteB
crypto map crypto-map 2 set peer 1.1.1.2
crypto map crypto-map 2 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 3 match address ACL_SiteC
crypto map crypto-map 3 set peer 1.1.1.3
crypto map crypto-map 3 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

 

Configure SiteB

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteB
config t
object-group network obj-local
network-object 10.0.2.0 255.255.255.0
end
!Create Object for Remote LAN SiteA
config t
object-group network obj-SiteA
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteC
config t
object-group network obj-SiteC
network-object 10.0.3.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteA
config t
access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA
end
!Configure VPN ACL SiteC
config t
access-list ACL_SiteC extended permit ip object-group obj-local object-group obj-SiteC
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteA
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteC
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteC obj-SiteC no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteC(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.3 type ipsec-l2l
tunnel-group 1.1.1.3 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 1 match address ACL_SiteA
crypto map crypto-map 1 set peer 1.1.1.1
crypto map crypto-map 1 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 3 match address ACL_SiteC
crypto map crypto-map 3 set peer 1.1.1.3
crypto map crypto-map 3 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

Configure SiteC

!-----------------
!CONFIGURE OBJECTS
!-----------------
!Create Object for Local LAN SiteC
config t
object-group network obj-local
network-object 10.0.3.0 255.255.255.0
end
!Create Object for Remote LAN SiteA
config t
object-group network obj-SiteA
network-object 10.0.1.0 255.255.255.0
end
!Create Object for Remote LAN SiteB
config t
object-group network obj-SiteB
network-object 10.0.2.0 255.255.255.0
end
!
!---------------
!CONFIGURE ACL's
!---------------
!Configure VPN ACL SiteA
config t
access-list ACL_SiteA extended permit ip object-group obj-local object-group obj-SiteA
end
!Configure VPN ACL SiteB
config t
access-list ACL_SiteB extended permit ip object-group obj-local object-group obj-SiteB
end
!
!------------------------
!CONFIGURE NAT EXEMPTIONS
!------------------------
!Configure NAT Exemption SiteA
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteA obj-SiteA no-proxy-arp route-lookup
end
!Configure NAT Exemption SiteB
config t
nat (inside,outside) 1 source static obj-local obj-local destination static obj-SiteB obj-SiteB no-proxy-arp route-lookup
end
!
!-----------------------------------------------------
!CONFIGURE PHASE1 PROPOSAL (pre-g2-3des-md5 SA:84600s)
!-----------------------------------------------------
config t
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 enable outside
end
!
!-------------------------------------------------------------------
!CONFIGURE PHASE 2 PROPOSALS 
!-------------------------------------------------------------------
!Configure Transform Set(g2-esp-3des-sha SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
end
!Configure Transform Set (g2-esp-3des-md5 SA:84600s PFS:enabled)
config t
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
end
!Configure Tunnel Group Remote WAN IP SiteA(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Tunnel Group Remote WAN IP SiteB(Replace VPNSHAREDKEYPW)
config t
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 ipsec-attributes 
pre-shared-key VPNSHAREDKEYPW
end
!Configure Crypto Maps (You can only have 1 crypto map nam and each VPN needs an unique Map # to differentiate from each other)
!MAP: SiteA=1, SiteB=2, SiteC=3
config t
crypto map crypto-map 1 match address ACL_SiteA
crypto map crypto-map 1 set peer 1.1.1.1
crypto map crypto-map 1 set transform-set ESP-3DES-SHA
end
config t
crypto map crypto-map 2 match address ACL_SiteB
crypto map crypto-map 2 set peer 1.1.1.2
crypto map crypto-map 2 set transform-set ESP-3DES-SHA
end
!Attach Crypto Map to Interface
config t
crypto map crypto-map interface outside
end

 

Further Info

I would suggest using IKEV2 for a Site-to-Site VPN, and I’ll outline the steps a in future article once I get time to write it up…. Stay tuned!

 

3 comments

    • Diego on November 20, 2019 at 12:09 am

    Awesome article!
    Im running into a particular situation. I have a cisco ASA-x for a branch. the firewalls is at the perimeter with NAT_PAT configured for the DMZ and internal users to connect out on the OUTSIDE interface as DHCP. Also NAT port forwarding for the DMZ servers.

    Im trying to do a l2l Ipsec tunnel. Traffic is being allowed by IP from the remote host and IPsec enabled… everything is configured but nothing comes. Im suspecting is the remote user not having ESP enabled on their WAN to allow the communication. My question on my end do i need to do a NAT except since traffic or the tunnel will be terminated on the OUTSIDE interface? I mean the interesting traffic would need to do a NAT except? such as NAT (OUTSIDE,ANY) static remote_subnet destination subnet remote_subnet destination_subnet ?

    I’ve done many IPsec tunnels where we have a router passing the traffic thru to the VPN concentrator but never when it terminates right at the WAN side.

    • Walter on June 3, 2020 at 1:17 am

    Hi,
    Do you have an example configuration for ASA full mesh VPN?

    1. Sorry, I don’t have any live examples to pull this from but may put some up once I get time to play with them in my lab!

Comments have been disabled.