Cisco ASA 5505 Getting Started Guide, Version 7.2
Scenario: Site-to-Site VPN Configuration
Download this chapter
Scenario: Site-to-Site VPN ConfigurationScenario: Site-to-Site VPN Configuration
Download the complete book
Cisco ASA 5505 Getting Started Guide, Version 7.2 -- Whole Book PDFCisco ASA 5505 Getting Started Guide, Version 7.2 -- Whole Book PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Scenario: Site-to-Site VPN Configuration

Example Site-to-Site VPN Network Topology

Implementing the Site-to-Site Scenario

Information to Have Available

Configuring the Site-to-Site VPN

Starting ASDM

Configuring the Security Appliance at the Local Site

Providing Information About the Remote VPN Peer

Configuring the IKE Policy

Configuring IPSec Encryption and Authentication Parameters

Specifying Hosts and Networks

Viewing VPN Attributes and Completing the Wizard

Configuring the Other Side of the VPN Connection

What to Do Next


Scenario: Site-to-Site VPN Configuration

This chapter describes how to use the adaptive security appliance to create a site-to-site VPN.

Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

This chapter includes the following sections:

Example Site-to-Site VPN Network Topology

Implementing the Site-to-Site Scenario

Configuring the Other Side of the VPN Connection

What to Do Next

Example Site-to-Site VPN Network Topology

Figure 8-1 shows an example VPN tunnel between two adaptive security appliances.

Figure 8-1 Network Layout for Site-to-Site VPN Configuration Scenario

Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you to configure two adaptive security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

This section describes how to configure the adaptive security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 8-1.

This section includes the following topics:

Information to Have Available

Configuring the Site-to-Site VPN

Information to Have Available

Before you begin the configuration procedure, obtain the following information:

IP address of the remote adaptive security appliance peer

IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources on the remote site

IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources

Configuring the Site-to-Site VPN

This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN.

This section includes the following topics:

Starting ASDM

Configuring the Security Appliance at the Local Site

Providing Information About the Remote VPN Peer

Configuring the IKE Policy

Configuring IPSec Encryption and Authentication Parameters

Specifying Hosts and Networks

Viewing VPN Attributes and Completing the Wizard

The following sections provide detailed instructions for how to perform each configuration step.

Starting ASDM

To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/.

Note Make sure you add the "s" in "https," or the connection fails. HTTP over SSL (HTTPS) provides a secure connection between your browser and the adaptive security appliance.

The ASDM main window appears.

Configuring the Security Appliance at the Local Site

Note The adaptive security appliance at the first site is referred to as Security Appliance 1 in this scenario.

To configure Security Appliance 1, perform the following steps:

Step 1 In the ASDM main window, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.

In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Site-to-Site VPN radio button.

Note The Site-to-Site VPN option connects two IPSec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.

b. From the VPN tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel.

c. Click Next to continue.

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

Note In this scenario, the remote VPN peer is referred to as Security Appliance 2.

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Enter the remote Peer IP Address (209.165.200.236) and a Tunnel Group Name (for example, "Cisco").

Step 2 Specify the type of authentication that you want to use by selecting one of the following authentication methods:

To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, "Cisco"). This key is used for IPSec negotiations between the adaptive security appliances.

Note For site-to-site connections with pre-shared key authentication such as this scenario, the tunnel group name must be the same as either the IP address of the peer or the peer hostname, whichever is used as the peer identity.

To use digital certificates for authentication, click the Certificate radio button, choose the certificate signing algorithm from the Certificate Signing Algorithm drop-down list, and then choose a preconfigured trustpoint name from the Trustpoint Name drop-down list.

If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the same ASDM screens.

Click the Challenge/Response Authentication radio button to use that method of authentication.

Step 3 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data integrity through secure VPN tunnels and ensure privacy; it also provides authentication to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.

In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association.

Note When configuring Security Appliance 2, enter the same values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

Step 2 Click Next to continue.

Configuring IPSec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 Choose the encryption algorithm (DES/3DES/AES) from the Encryption drop-down list, and the authentication algorithm (MD5/SHA) from the Authentication drop-down list.

Step 2 Click Next to continue.

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPSec tunnel to communicate with hosts and networks on the other side of the tunnel. Specify hosts and networks that are permitted access to the tunnel by clicking Add or Delete. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.

In addition, identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

In Step 5 of the VPN Wizard, perform the following steps:

Note In this context, protection provides encryption to preserve data integrity between two hosts through a secure VPN tunnel. Information that is being sent from one host to another as plain text, without encryption through an unsecured connection, is considered unprotected data. Tampering may occur when you send unprotected data through unsecured connections.

Step 1 Enter the IP address of local networks to be protected or not protected, or click the ellipsis (...) button to select from a list of hosts and networks.

Step 2 Enter the IP address of remote networks to be protected or not protected, or click the ellipsis (...) button to select from a list of hosts and networks.

Note If a remote peer has a dynamic IP address, you can use the hostname as the peer IP address.

Step 3 Click Next to continue.

Viewing VPN Attributes and Completing the Wizard

In Step 6 of the VPN Wizard, review the configuration settings for the VPN tunnel that you just created. If you are satisfied with the configuration settings, click Finish to apply the changes to the adaptive security appliance.

Step 4 If you want to save the configuration changes to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.

Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the previous configuration takes effect the next time that the device starts.

This concludes the configuration process for Security Appliance 1.

Configuring the Other Side of the VPN Connection

You have just configured the local adaptive security appliance. Next, you need to configure the adaptive security appliance at the remote site.

At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the same procedure that you used to configure the local adaptive security appliance, starting with "Configuring the Security Appliance at the Local Site" section and finishing with "Viewing VPN Attributes and Completing the Wizard" section.

Note When configuring Security Appliance 2, use the same values for each of the options that you selected for Security Appliance 1, with the exception of local hosts and networks. Mismatches are a common cause of VPN configuration failures.

For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the Cisco Security Appliance Command Line Configuration Guide.

For specific troubleshooting issues, see the Troubleshooting Technotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html

For help troubleshooting configuration issues, see the Configuration Examples and TechNotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

In particular, see the technotes for Site to Site VPN (L2L) with ASA in the Troubleshooting Technotes. The troubleshooting technotes walk you through using commands like the following to troubleshoot the Site-to-site VPN configuration:

show run isakmp

show run ipsec

show run tunnel-group

show run crypto map

debug crypto ipsec sa

debug crypto isakmp sa

See also the Cisco Security Appliance Command Reference for detailed information about each of these commands.

What to Do Next

If you are deploying the adaptive security appliance only in a site-to-site VPN environment, then you have completed the initial configuration. In addition, you may want to consider performing some of the following steps:

To Do This...
See...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages


You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This...
See...

Configure the adaptive security appliance to protect a web server in a DMZ

Chapter 6, "Scenario: DMZ Configuration"

Configure a remote-access VPN

Chapter 7, "Scenario: IPSec Remote-Access VPN Configuration"