You are currently viewing Video: Configuring Cisco ASA IKEv2 Site-to-Site VPNs
Photo by Pixabay on Pexels.com

Video: Configuring Cisco ASA IKEv2 Site-to-Site VPNs

ASA Configuration

ASAv2 Omitted Configuration

asa2# show run
:
ASA Version 9.12(3) 
!
hostname asa2
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
interface GigabitEthernet0/2
 nameif labout
 security-level 100
 ip address 192.168.107.10 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
access-list VPN10 extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 
!
route outside 192.168.20.0 255.255.255.0 172.16.1.2 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PRO
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map 10-20 10 match address VPN10
crypto map 10-20 10 set peer 172.16.1.2 
crypto map 10-20 10 set ikev2 ipsec-proposal IPSEC-PRO
crypto map 10-20 interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14     
 prf sha256
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!             
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
: end

ASAv3 Omitted Configuration

asa3# sh run
: Saved
ASA Version 9.12(3) 
!
hostname asa3
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.0 
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
access-list VPN20 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 
!
route outside 192.168.10.0 255.255.255.0 172.16.1.1 1
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PRO
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map 20-10 10 match address VPN20
crypto map 20-10 10 set peer 172.16.1.1 
crypto map 20-10 10 set ikev2 ipsec-proposal IPSEC-PRO
crypto map 20-10 interface outside
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256   
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
: end

iwiizkiid

Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply