Video: Configuring Cisco ASA IKEv2 Site-to-Site VPNs

Photo by Pixabay on Pexels.com

ASA Configuration

ASAv2 Omitted Configuration

asa2# show run
:
ASA Version 9.12(3) 
!
hostname asa2
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif labout
 security-level 100
 ip address 192.168.107.10 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
access-list VPN10 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 
!
route outside 192.168.20.0 255.255.255.0 172.16.1.2 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PRO
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map 10-20 10 match address VPN10
crypto map 10-20 10 set peer 172.16.1.2 
crypto map 10-20 10 set ikev2 ipsec-proposal IPSEC-PRO
crypto map 10-20 interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14     
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!             
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
: end

ASAv3 Omitted Configuration

asa3# sh run
: Saved
ASA Version 9.12(3) 
!
hostname asa3
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
access-list VPN20 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 
!
route outside 192.168.10.0 255.255.255.0 172.16.1.1 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PRO
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map 20-10 10 match address VPN20
crypto map 20-10 10 set peer 172.16.1.1 
crypto map 20-10 10 set ikev2 ipsec-proposal IPSEC-PRO
crypto map 20-10 interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256   
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
: end

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: