Site-to-Site IPSEC VPN between Two Cisco ASA–one with Dynamic IPCisco ASA 5500 Series appliances deliver IPsec and SSL VPN, firewall, and severalother networking services on a single platform. Cisco ASA 5520, a member of theCisco ASA 5500 Series, is shown in Figure 1 below.Figure 1 Cisco Adaptive Security Appliance (ASA)Here we will focus on site-to-site IPsec implementation between two Cisco ASA 5520appliances, as shown in Figure 2. The outside interface of ASA1 is assigned a dynamicIP address by the service provider over DHCP, while the outside interface of ASA2 isconfigured with a static IP address. Basic IP address configuration and connectivityexists and we will build IPsec configuration on top of this. Although this tutorial wastested on ASA5520, the configuration commands are exactly the same for the otherASA models with no difference.Figure2Cisco ASA-ASA IPsec ImplementationIP Security (IPsec) can use Internet Key Exchange (IKE) for key management andtunnel negotiation. IKE involves a combination of ISAKMP/Phase 1 and IPsec/Phase 2attributes that are negotiated between peers. If any one of the attributes ismisconfigured, the IPsec tunnel fails to establish. Therefore, it is mandatory to makesure that all these parameters are identical on the two appliances we are using asIPsec peers.We will start with a pre-configuration checklist to make our life easier. This checklistwould serve as a reference for configuration and troubleshooting.Table1Configuration Checklist: ISAKMP/Phase-1 AttributesAttribute Value
Encryption AES 128-bitHashing SHA-1Authentication method Preshared keysDH group Group 2 1024-bit fieldLifetime 86,400 secondsAfter discussing Phase 1 attributes, it is important to highlight Phase 2 attributes ofthe IPsec VPN connectionthat are used to encrypt and decrypt the actual data traffic.Table2Configuration Checklist: IPsec/Phase-2 AttributesAttribute ValueEncryption AES 128-bitHashing SHA-1Lifetime 28,800 seconds4,608,000 kBMode TunnelPFS group NoneNow that we have determined what Phase 1 and Phase 2 attributes to use, we’reready to configure the site-to-site IPsec tunnel between ASA1 and ASA2.Let’s start with configuring ASA1:! ISAKMP Phase 1crypto ikev1 policy 10authentication pre-shareencryption aeshash shagroup 2lifetime 86400!crypto ikev1 enable outsidetunnel-group 22.214.171.124 type ipsec-l2ltunnel-group 126.96.36.199 ipsec-attributesikev1 pre-shared-key Cisc0! IPsec Phase 2access-list RED permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aesesp-sha-hmaccrypto map VPN-MAP 10 match address REDcrypto map VPN-MAP 10 set peer 188.8.131.52crypto map VPN-MAP 10 set ikev1 transform-set ESP-AES128-SHAcrypto map VPN-MAP interface outside
Here goes the configuration for ASA2:! Create ISAKMP policycrypto ikev1 policy 10authentication pre-shareencryption aeshash shagroup 2lifetime 86400crypto ikev1 enable outside! Define the pre-shared key within the dynamic map tunnel grouptunnel-group DefaultL2LGroup ipsec-attributesikev1 pre-shared-key Cisc0!cryptoipsec ikev1 transform-set ESP-AES128-SHA esp-aesesp-sha-hmacaccess-list BLUE permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0! Create a dynamic-mapcrypto dynamic-map DYN-MAP 20 match address BLUE (OPTIONAL)crypto dynamic-map DYN-MAP 20 set ikev1 transform-set ESP-AES128-SHA! Assign the dynamic-map to crypto mapcrypto map VPN-MAP 10 ipsec-isakmp dynamic DYN-MAPcrypto map VPN-MAP interface outsideThe above commands conclude the IPSEC VPN configuration. However, if we haveNAT in our network (which is true most of the times), we still have some way to go.We must configure NAT exemption for VPN traffic. That is, traffic that will passthrough the VPN tunnel (i.e traffic between the LAN networks 192.168.1.0/2410.0.0.0/24) must be excluded from NAT operation.Configure NAT Exemption on ASA1ASA1(config)# object network obj-localASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA1(config-network-object)# exitASA1(config)# object network obj-remoteASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0ASA1(config-network-object)# exitASA1(config)# object network internal-lanASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# exit! Exclude traffic from LAN1 to LAN2 from NAT operationASA1(config)# nat (inside,outside) source static obj-local obj-local destination staticobj-remote obj-remote! Configure Port Address Translation (PAT) using the outside ASA interface. This willperform dynamic NAT on internal LAN hosts so that they can access the Internet.ASA1(config)# object network internal-lanASA1(config-network-object)# nat (inside,outside) dynamic interfaceConfigure NAT Exemption on ASA2ASA2(config)# object network obj-localASA2(config-network-object)# subnet 10.0.0.0 255.255.255.0ASA2(config-network-object)# exitASA2(config)# object network obj-remoteASA2(config-network-object)# subnet 192.168.1.0 255.255.255.0ASA2(config-network-object)# exitASA2(config)# object network internal-lanASA2(config-network-object)# subnet 10.0.0.0 255.255.255.0ASA2(config-network-object)# exit! Exclude traffic from LAN2 to LAN1 from NAT operationASA2(config)# nat (inside,outside) source static obj-local obj-local destination staticobj-remote obj-remote! Configure Port Address Translation (PAT) using the outside ASA interface. This willperform dynamic NAT on internal LAN hosts so that they can access the Internet.ASA2(config)# object network internal-lanASA2(config-network-object)# nat (inside,outside) dynamic interfaceAt this point our IPsec configuration is complete. We can generate some traffic froma host in subnet 192.168.1.0/24 connected to ASA1 to a host in subnet 10.0.0.0/24connected to ASA2. An easy way to generate such traffic is the good old ping utility. Ifping is successful between the two subnets, an IPsec tunnel is also likely to haveestablished successfully. The same can be verified using command show crypto ipsecstats:ASA1# show crypto ipsec statsIPsec Global Statistics
———————–Active tunnels: 1Previous tunnels: 1InboundBytes: 400Decompressed bytes: 400Packets: 4Dropped packets: 0Replay failures: 0Authentications: 4Authentication failures: 0Decryptions: 4Decryption failures: 0Decapsulated fragments needing reassembly: 0OutboundBytes: 400Uncompressed bytes: 400Packets: 4Dropped packets: 0Authentications: 4Authentication failures: 0Encryptions: 4Encryption failures: 0Fragmentation successes: 0Pre-fragmentation successses: 0Post-fragmentation successes: 0Fragmentation failures: 0Pre-fragmentation failures: 0Post-fragmentation failures: 0Fragments created: 0PMTUs sent: 0PMTUs rcvd: 0Protocol failures: 0Missing SA failures: 0System capacity failures: 0You can get your hands dirty with several other show crypto commands available toverify configuration and view statistics. For example, show crypto isakmpsa detailcommand can be used to verify ISAKMP/Phase 1 attributes, while show cryptoipsecsa command can be used to verify IPsec/Phase 2 attributes. We have shownhere the output for show crypto isakmpsa detail command:ASA1# show crypto isakmpsa detail
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 11 IKE Peer: 184.108.40.206Type : L2L Role : initiatorRekey : no State : MM_ACTIVEEncrypt :aes Hash : SHAAuth : preshared Lifetime: 86400Lifetime Remaining: 85998More Related Topics:How to Configure Dual ISP on Cisco ASA 5505?Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing forPolycom Device?VLAN Sub-Interfaces on Cisco ASA 5500 Firewall ConfigurationCisco ASA Firewall LicensingHow to Configure Cisco ASA 5505 Firewall?Cisco ASA 8.4 vs. Typical NAT/PAT ConfigurationHow to Set Up IPSec Direct Encapsulation on Cisco Devices?How to Configure GRE over an IPSec Tunnel on Routers?