Cisco ASA site-to-site VPN

Recently I needed to create a site-to-site VPN to interconnect two remote sites for a client and choose the CISCO ASA5505 to do so. Being my first time using this device I was drawn to the beautiful ADSM, complete with a Wizard to create the site-to-site VPN, it was too good to be true. For unexplained reasons, the configuration produced by the Wizard failed, tried multiple times, full reset on the ASA and nothing couldn’t get it to work. What next? The good old console cable and some reading got me in the right track.
Below are some tips/steps/guidelines, call it whatever you like, that I use to create the site-to-site VPN, Cisco calls it lan-to-lan (L2L) sometimes.
– Create an access-list to instruct what traffic to encrypt
– Exempt traffic on the inside interface that is going to be encrypted from being NATed
– Create Phase 2 configuration: transform set and crypto map configuration
– Create Phase 1 configuration
– Tunnel group
– Tweaks

Sample configuration

For an example I’ll use the following network configuration and that the public interface is named outside while the internal is named inside.
Site A: London
Public IP: 1.1.1.1
Private network: 192.168.1.0 mask 255.255.255.0
Site B: Manchester
Public IP: 2.2.2.2
Private network: 192.168.2.0 mask 255.255.255.0
Pre-shared Key: MY-PRE-SHARED-KEY

London ASA configuration

 

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_LondontoManchester extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_LondontoManchester
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 2.2.2.2
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Manchester ASA configuration

!---Access list for identify site-to-site traffic to encrypt
access-list ACL_CM_ManchestertoLondon extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Access list for VPN traffic to bypass NAT
access-list ACL_NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!---Prevents VPN traffic from undergoing NAT
nat (inside) 0 access-list ACL_NONAT

!---Phase 2 Configuration of IPSec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!---IPsec configuration for static LAN-to-LAN tunnel
crypto map CM_outside 5 match address ACL_CM_ManchestertoLondon
crypto map CM_outside 5 set pfs group1
crypto map CM_outside 5 set peer 1.1.1.1
crypto map CM_outside 5 set transform-set ESP-AES-128-SHA
crypto map CM_outside 5 set security-association lifetime seconds 28800
!---apply crypto map to outside interface
crypto map CM_outside interface outside

!---Enable Phase 1 isakmp to public interface
crypto isakmp enable outside
!---Phase 1 Configuration
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
exit

!---NAT-T configuration
crypto isakmp nat-traversal 50
!---Allow IPsec tunnel traffic to bypass ACLs
sysopt connection permit-vpn

!---Define tunnel group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key MY-PRE-SHARED-KEY
exit

Here is my automated ASA site-to-site VPN config tool