Recently I needed to create a site-to-site VPN to interconnect two remote sites for a client and choose the CISCO ASA5505 to do so. Being my first time using this device I was drawn to the beautiful ADSM, complete with a Wizard to create the site-to-site VPN, it was too good to be true. For unexplained reasons, the configuration produced by the Wizard failed, tried multiple times, full reset on the ASA and nothing couldn’t get it to work. What next? The good old console cable and some reading got me in the right track.
Below are some tips/steps/guidelines, call it whatever you like, that I use to create the site-to-site VPN, Cisco calls it lan-to-lan (L2L) sometimes.
– Create an access-list to instruct what traffic to encrypt
– Exempt traffic on the inside interface that is going to be encrypted from being NATed
– Create Phase 2 configuration: transform set and crypto map configuration
– Create Phase 1 configuration
– Tunnel group
– Tweaks
Sample configuration
For an example I’ll use the following network configuration and that the public interface is named outside while the internal is named inside.
Site A: London
Public IP: 1.1.1.1
Private network: 192.168.1.0 mask 255.255.255.0
Site B: Manchester
Public IP: 2.2.2.2
Private network: 192.168.2.0 mask 255.255.255.0
Pre-shared Key: MY-PRE-SHARED-KEY
London ASA configuration
!---Access list for identify site-to-site traffic to encrypt access-list ACL_CM_LondontoManchester extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 !---Access list for VPN traffic to bypass NAT access-list ACL_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 !---Prevents VPN traffic from undergoing NAT nat (inside) 0 access-list ACL_NONAT !---Phase 2 Configuration of IPSec crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac !---IPsec configuration for static LAN-to-LAN tunnel crypto map CM_outside 5 match address ACL_CM_LondontoManchester crypto map CM_outside 5 set pfs group1 crypto map CM_outside 5 set peer 2.2.2.2 crypto map CM_outside 5 set transform-set ESP-AES-128-SHA crypto map CM_outside 5 set security-association lifetime seconds 28800 !---apply crypto map to outside interface crypto map CM_outside interface outside !---Enable Phase 1 isakmp to public interface crypto isakmp enable outside !---Phase 1 Configuration crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 1 lifetime 28800 exit !---NAT-T configuration crypto isakmp nat-traversal 50 !---Allow IPsec tunnel traffic to bypass ACLs sysopt connection permit-vpn !---Define tunnel group tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key MY-PRE-SHARED-KEY exit
Manchester ASA configuration
!---Access list for identify site-to-site traffic to encrypt access-list ACL_CM_ManchestertoLondon extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 !---Access list for VPN traffic to bypass NAT access-list ACL_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 !---Prevents VPN traffic from undergoing NAT nat (inside) 0 access-list ACL_NONAT !---Phase 2 Configuration of IPSec crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac !---IPsec configuration for static LAN-to-LAN tunnel crypto map CM_outside 5 match address ACL_CM_ManchestertoLondon crypto map CM_outside 5 set pfs group1 crypto map CM_outside 5 set peer 1.1.1.1 crypto map CM_outside 5 set transform-set ESP-AES-128-SHA crypto map CM_outside 5 set security-association lifetime seconds 28800 !---apply crypto map to outside interface crypto map CM_outside interface outside !---Enable Phase 1 isakmp to public interface crypto isakmp enable outside !---Phase 1 Configuration crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 1 lifetime 28800 exit !---NAT-T configuration crypto isakmp nat-traversal 50 !---Allow IPsec tunnel traffic to bypass ACLs sysopt connection permit-vpn !---Define tunnel group tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 ipsec-attributes pre-shared-key MY-PRE-SHARED-KEY exit
Here is my automated ASA site-to-site VPN config tool