Cisco ASA 5505 Getting Started Guide, 8.0
Scenario: Site-to-Site VPN Configuration
Download this chapter
Scenario: Site-to-Site VPN ConfigurationScenario: Site-to-Site VPN Configuration
Download the complete book
Full Book PDF--Cisco ASA 5505 Getting Started Guide, Version 8.0Full Book PDF--Cisco ASA 5505 Getting Started Guide, Version 8.0 (PDF - 3 MB)
give_us_feedback

Table Of Contents

Scenario: Site-to-Site VPN Configuration

Example Site-to-Site VPN Network Topology

Implementing the Site-to-Site Scenario

Information to Have Available

Configuring the Site-to-Site VPN

Starting ASDM

Configuring the Security Appliance at the Local Site

Providing Information About the Remote VPN Peer

Configuring the IKE Policy

Configuring IPsec Encryption and Authentication Parameters

Specifying Hosts and Networks

Viewing VPN Attributes and Completing the Wizard

Configuring the Other Side of the VPN Connection

What to Do Next


Scenario: Site-to-Site VPN Configuration

This chapter describes how to use the adaptive security appliance to create a site-to-site VPN.

Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

This chapter includes the following sections:

Example Site-to-Site VPN Network Topology

Implementing the Site-to-Site Scenario

Configuring the Other Side of the VPN Connection

What to Do Next

Example Site-to-Site VPN Network Topology

Figure 10-1 shows an example VPN tunnel between two adaptive security appliances.

Figure 10-1 Network Layout for Site-to-Site VPN Configuration Scenario

Creating a VPN site-to-site deployment such as the one in Figure 10-1 requires you to configure two adaptive security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

This section describes how to configure the adaptive security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 10-1.

This section includes the following topics:

Information to Have Available

Configuring the Site-to-Site VPN

Information to Have Available

Before you begin the configuration procedure, obtain the following information:

IP address of the remote adaptive security appliance peer

IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources at the remote site

IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources

Configuring the Site-to-Site VPN

This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN.

This section includes the following topics:

Starting ASDM

Configuring the Security Appliance at the Local Site

Providing Information About the Remote VPN Peer

Configuring the IKE Policy

Configuring IPsec Encryption and Authentication Parameters

Specifying Hosts and Networks

Viewing VPN Attributes and Completing the Wizard

The following sections provide detailed instructions for how to perform each configuration step.

Starting ASDM

This section describes how to start ASDM using the ASDM Launcher software. If you have not installed the ASDM Launcher software, see Installing the ASDM Launcher, page 5-5.

If you prefer to access ASDM directly with a web browser or using Java Web Start, see Starting ASDM with a Web Browser, page 5-8.

To start ASDM using the ASDM Launcher software, perform the following steps:

Step 1 From your desktop, double-click the Cisco ASDM-IDM Launcher icon.

The Cisco ASDM-IDM Launcher dialog box appears.

Step 2 Enter the IP address or the hostname of your adaptive security appliance.

Step 3 Leave the Username and Password fields blank.

Note By default, there is no Username and Password set for the Cisco ASDM Launcher.

Step 4 Click OK.

Step 5 If you receive a security warning containing a request to accept a certificate, click Yes.

The adaptive security appliance checks to see if there is updated software and if so, downloads it automatically.

The ASDM main window appears.

Configuring the Security Appliance at the Local Site

Note In this scenario, the adaptive security appliance at the local site (Site A) is referred to as Security Appliance 1.

To configure Security Appliance 1, perform the following steps:

Step 1 In the ASDM main window, choose the IPsec VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.

In Step 1 of the VPN Wizard, perform the following steps:

a. In the VPN Tunnel Type area, click the Site-to-Site radio button.

Note The Site-to-Site VPN option connects two IPsec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity.

b. From the VPN Tunnel Interface drop-down list, choose Outside as the enabled interface for the current VPN tunnel.

c. Click Next to continue.

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

Note In this scenario, the VPN peer at the remote site (Site B) is referred to as Security Appliance 2.

In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Enter the remote VPN peer IP address (209.165.200.236) and a tunnel group name.

Step 2 Specify the type of authentication that you want to use by selecting one of the following authentication methods:

To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, "Cisco"). This key is used for IPsec negotiations between the adaptive security appliances.

To use digital certificates for authentication, click the Certificate radio button, choose the certificate signing algorithm from the Certificate Signing Algorithm drop-down list, and then choose a preconfigured trustpoint name from the Trustpoint Name drop-down list.

If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by choosing one of the other two options. You can revise the authentication configuration later using the same ASDM panes.

To use the CRACK method of authentication, click the Challenge/Response Authentication radio button.

Step 3 In the Tunnel Group Name field, enter the IP address of the peer or peer hostname.

Note For site-to-site connections with pre-shared key authentication such as this scenario, the tunnel group name must be the same as either the IP address of the peer or the peer hostname, whichever is used as the peer identity.

Step 4 Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data integrity through secure VPN tunnels and ensure privacy; it also provides authentication to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.

In Step 3 of the VPN Wizard, perform the following steps:

Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association.

Note When configuring Security Appliance 2, enter the same values for each of the options that you chose for Security Appliance 1, with the exception of local hosts and networks. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the configuration process.

Step 2 Click Next to continue.

Configuring IPsec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:

Step 1 Choose the encryption algorithm (DES/3DES/AES) from the Encryption drop-down list, and the authentication algorithm (MD5/SHA) from the Authentication drop-down list.

Step 2 Click Next to continue.

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with hosts and networks on the other side of the tunnel. Specify hosts and networks that are permitted access to the tunnel by clicking Add or Delete. In the current scenario, traffic from Site A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.

In addition, identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Site B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

In Step 5 of the VPN Wizard, perform the following steps:

Note In this context, protection provides encryption to preserve data integrity between two hosts through a secure VPN tunnel. Information that is being sent from one host to another as plain text, without encryption through an unsecured connection, is considered unprotected data. Tampering may occur when you send unprotected data through unsecured connections.

Step 1 Enter the IP address of local networks to be protected or not protected, or click the ellipsis (...) button to select from a list of hosts and networks.

Step 2 Enter the IP address of remote networks to be protected or not protected, or click the ellipsis (...) button to select from a list of hosts and networks.

Note If a remote peer has a dynamic IP address, you can use the hostname as the peer IP address.

Step 3 If you are not using NAT or PAT, check the Exempt ASA side host network from address translation check box and choose the inside interface from the drop-down list.

Step 4 Click Next to continue.

Viewing VPN Attributes and Completing the Wizard

In Step 6 of the VPN Wizard, perform the following steps:

Step 1 Review the configuration summary for the site-to-site VPN tunnel that you have just created.

Step 2 If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.

Step 3 Choose one of the following:

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.

Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.

If you do not save the configuration changes, the previous configuration takes effect the next time that the device starts.

This concludes the configuration process for Security Appliance 1.

Configuring the Other Side of the VPN Connection

You have just configured the local adaptive security appliance. Next, you need to configure the adaptive security appliance at the remote site.

At the remote site, configure the second adaptive security appliance (Security Appliance 2) to serve as a remote VPN peer. Use the same procedure that you used to configure the local adaptive security appliance, starting with "Configuring the Security Appliance at the Local Site" section and finishing with "Viewing VPN Attributes and Completing the Wizard" section.

Note When configuring Security Appliance 2, use the same values for each of the options that you selected for Security Appliance 1, with the exception of local hosts and networks. Mismatches are a common cause of VPN configuration failures.

For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the Cisco Security Appliance Command Line Configuration Guide.

For specific troubleshooting issues, see the Troubleshooting Technotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html

For help troubleshooting configuration issues, see the Configuration Examples and TechNotes at the following location:

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

In particular, see the technotes for Site to Site VPN (L2L) with ASA in the Troubleshooting Technotes. The troubleshooting technotes walk you through using commands like the following to troubleshoot the Site-to-site VPN configuration:

show run isakmp

show run ipsec

show run tunnel-group

show run crypto map

debug crypto ipsec sa

debug crypto isakmp sa

See also the Cisco Security Appliance Command Reference for detailed information about each of these commands.

What to Do Next

If you are deploying the adaptive security appliance only in a site-to-site VPN environment, then you have completed the initial configuration. In addition, you may want to consider performing some of the following steps:

To Do This...
See...

Refine configuration and configure optional and advanced features

Cisco Security Appliance Command Line Configuration Guide

Learn about daily operations

Cisco Security Appliance Command Reference

Cisco Security Appliance System Log Messages Guide


You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.

To Do This...
See...

Configure the adaptive security appliance to protect a web server in a DMZ

Chapter 6, "Scenario: DMZ Configuration"

Configure a remote-access VPN

Chapter 7, "Scenario: IPsec Remote-Access VPN Configuration"

Configure a clientless (browser-based) SSL VPN

Chapter 9, "Scenario: SSL VPN Clientless Connections"

Configure an SSL VPN for the Cisco AnyConnect software client

Chapter 8, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"