Cisco ASA 5550 Getting Started Guide, Version 7.2 - Scenario: Site-to-Site VPN Configuration [Cisco ASA 5500 Series Adaptive Security Appliances]

Table Of Contents

Scenario: Site-to-Site VPN Configuration

Example Site-to-Site VPN Network Topology

Implementing the Site-to-Site Scenario

Information to Have Available

Configuring the Site-to-Site VPN

Starting ASDM

Configuring the Security Appliance at the Local Site

Providing Information About the Remote VPN Peer

Configuring the IKE Policy

Configuring IPsec Encryption and Authentication Parameters

Specifying Hosts and Networks

Viewing VPN Attributes and Completing the Wizard

Configuring the Other Side of the VPN Connection

What to Do Next

Scenario: Site-to-Site VPN Configuration

This chapter describes how to use the adaptive security appliance to create a site-to-site VPN.

Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

This chapter includes the following sections:

•Example Site-to-Site VPN Network Topology

•Implementing the Site-to-Site Scenario

•Configuring the Other Side of the VPN Connection

•What to Do Next

Example Site-to-Site VPN Network Topology

Figure 8-1 shows an example VPN tunnel between two adaptive security appliances.

Figure 8-1 Network Layout for Site-to-Site VPN Configuration Scenario

Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you to configure two adaptive security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

This section describes how to configure the adaptive security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 8-1.

This section includes the following sections:

•Information to Have Available

•Configuring the Site-to-Site VPN

Information to Have Available

Before you begin the configuration procedure, gather the following information:

•IP address of the remote adaptive security appliance peer

•IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources on the remote site

•IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources

Configuring the Site-to-Site VPN

This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN.

This section includes the following topics:

•Starting ASDM

•Configuring the Security Appliance at the Local Site

•Providing Information About the Remote VPN Peer

•Configuring the IKE Policy

•Configuring IPsec Encryption and Authentication Parameters

•Specifying Hosts and Networks

•Viewing VPN Attributes and Completing the Wizard

The following sections provide detailed instructions for how to perform each configuration step.

Starting ASDM

To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/.

Note Remember to add the "s" in "https" or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the adaptive security appliance.

The Main ASDM window appears.

Configuring the Security Appliance at the Local Site

Note The adaptive security appliance at the first site is referred to as Security Appliance 1 from this point forward.

To configure the Security Appliance 1, perform the following steps:

Step 1 In the main ASDM window, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.

In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Site-to-Site VPN radio button.

Note The Site-to-Site VPN option connects two IPsec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity.

b. From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel.

c. Click Next to continue.

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

Note In this scenario, the remote VPN peer is referred to as Security Appliance 2 from this point forward.

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario 209.165.200.236) and a Tunnel Group Name (for example "Cisco").

Step 2 Specify the type of authentication that you want to use by performing one of the following steps:

•To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, "Cisco"). This key is used for IPsec negotiations between the adaptive security appliances.

Note When you configure Security Appliance 2 at the remote site, the VPN peer is Security Appliance 1. Be sure to enter the same preshared key (Cisco) that you use here.

•Click the Challenge/Response Authentication radio button to use that method of authentication.

•To use digital certificates for authentication, click the Certificate radio button, choose the Certificate Signing Algorithm from the drop-down list, and then choose a preconfigured trustpoint name from the drop-down list.

If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the standard ASDM screens.

Step 3 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.

In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association.

Note When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

Step 2 Click Next to continue.

Configuring IPsec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA) from the drop-down lists.

Step 2 Click Next to continue.

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.

In addition, identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

In Step 5 of the VPN Wizard, perform the following steps:

Step 1 In the Source area, choose IP Address from the Type drop-down list.

Step 2 Enter the local IP address and netmask in the IP Address and Netmask fields.

Step 3 In the Destination area, choose IP Address from the Type drop-down list.

Step 4 Enter the IP address and Netmask for the remote host or network.

Step 5 Click Next to continue.

Viewing VPN Attributes and Completing the Wizard

In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.

Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

This concludes the configuration process for Security Appliance 1.

Configuring the Other Side of the VPN Connection

You have just configured the local adaptive security appliance. Now you need to configure the adaptive security appliance at the remote site.

At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting with the "Configuring the Security Appliance at the Local Site" section and finishing with the "Viewing VPN Attributes and Completing the Wizard" section.

Note When configuring Security Appliance 2, enter the exact same values for each of the options that you selected for Security Appliance 1. Mismatches are a common cause of VPN configuration failures.

For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the Cisco Security Appliance Command Line Configuration Guide.

For specific troubleshooting issues, see the Troubleshooting Technotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html

For help troubleshooting configuration issues, see the Configuration Examples and TechNotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

In particular, see the technotes for Site to Site VPN (L2L) with ASA in the Troubleshooting Technotes. The troubleshooting technotes walk you through using commands like the following to troubleshoot the Site-to-site VPN configuration:

•show run isakmp

•show run ipsec

•show run tunnel-group

•show run crypto map

•debug crypto ipsec sa

•debug crypto isakmp sa

See also the Cisco Security Appliance Command Reference for detailed information about each of these commands.

What to Do Next

If you are deploying the adaptive security appliance solely in a site-to-site VPN environment, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps:

To Do This ...

See ...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance Logging Configuration and System Log Messages

You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This ...

See ...

Configure the adaptive security appliance to protect a web server in a DMZ

Chapter 6, "Scenario: DMZ Configuration"

Configure a remote-access VPN

Chapter 7, "Scenario: Remote-Access VPN Configuration"