You are currently viewing Cisco :: Configuring Site-to-Site VPN’s on ASA Firewalls

Cisco :: Configuring Site-to-Site VPN’s on ASA Firewalls

In this video session, I cover how to configure L2L VPN’s on Cisco ASA Firewalls. 

I have included the presentation from the video along with the essential configurations used to create a L2L VPN.

Configuration Used

***ASAv1***

ASA Version 9.8(3) 
!
hostname ASAv1
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 209.168.100.1 255.255.255.252 
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
object network SITE1
 subnet 192.168.10.0 255.255.255.0
object network SITE2
 subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE1 object SITE2 

nat (INSIDE,OUTSIDE) source static SITE1 SITE1 destination static SITE2 SITE2 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.100.2 1

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.200.1 
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 84600

tunnel-group 209.168.200.1 type ipsec-l2l
tunnel-group 209.168.200.1 ipsec-attributes
 ikev1 pre-shared-key cisco
***ISP ROUTER***
hostname ISP
!
interface GigabitEthernet0/0
 ip address 209.168.100.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 209.168.200.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
ip route 192.168.10.0 255.255.255.0 209.168.100.1
ip route 192.168.20.0 255.255.255.0 209.168.200.1
***ASAv2***

ASA Version 9.8(3) 
!
hostname ASAv2
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 209.168.200.1 255.255.255.252 
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
object network SITE1
 subnet 192.168.10.0 255.255.255.0
object network SITE2
 subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE2 object SITE1 

nat (INSIDE,OUTSIDE) source static SITE2 SITE2 destination static SITE1 SITE1 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.200.2 1

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.100.1 
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 84600

tunnel-group 209.168.100.1 type ipsec-l2l
tunnel-group 209.168.100.1 ipsec-attributes
 ikev1 pre-shared-key cisco

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply