-
Cisco ASA 5500 Series Getting Started Guide, 8.2
-
Before You Begin
-
Maximizing Throughput on the ASA 5550
-
Installing the ASA 5550
-
Installing the ASA 5500, ASA 5510, ASA 5520, and ASA 5540
-
Installing Optional SSMs
-
Connecting Interface Cables on the ASA 5500, ASA 5510, ASA 5520, and ASA 5540 Platforms
-
Configuring the Adaptive Security Appliance
-
Scenario - DMZ Configuration
-
Scenario - IPsec Remote-Access VPN Configuration
-
Scenario - Configuring Connections for a Cisco AnyConnect VPN Client
-
Scenario: SSL VPN Clientless Connections
-
Scenario - Site-to-Site VPN Configuration
-
Configuring the AIP SSM
-
Configuring the CSC SSM
-
Configuring the 4GE SSM for Fiber
-
Obtaining a 3DES/AES License
-
Table Of Contents
Scenario: Site-to-Site VPN Configuration
Example Site-to-Site VPN Network Topology
Implementing the Site-to-Site Scenario
Configuring the Site-to-Site VPN
Configuring the Security Appliance at the Local Site
Providing Information About the Remote VPN Peer
Configuring IPsec Encryption and Authentication Parameters
Viewing VPN Attributes and Completing the Wizard
Configuring the Other Side of the VPN Connection
Scenario: Site-to-Site VPN Configuration
This chapter describes how to use the adaptive security appliance to create a site-to-site VPN.
Site-to-site VPN features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.
This chapter includes the following sections:
•
Example Site-to-Site VPN Network Topology
•
•
Example Site-to-Site VPN Network Topology
Figure 12-1 shows an example VPN tunnel between two adaptive security appliances.
Figure 12-1 Network Layout for Site-to-Site VPN Configuration Scenario
Creating a VPN site-to-site deployment such as the one in Figure 12-1 requires you to configure two adaptive security appliances, one on each side of the connection.
Implementing the Site-to-Site Scenario
This section describes how to configure the adaptive security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 12-1.
This section includes the following topics:
•
•
Information to Have Available
Before you begin the configuration procedure, obtain the following information:
•
•
•
Configuring the Site-to-Site VPN
This section describes how to use the ASDM VPN Wizard to configure the adaptive security appliance for a site-to-site VPN.
This section includes the following topics:
•
•
•
•
•
The following sections provide detailed instructions for how to perform each configuration step.
Configuring the Security Appliance at the Local Site
Note
To configure the Security Appliance 1, perform the following steps:
Step 1
In Step 1 of the VPN Wizard, perform the following steps:
a.
Note
b.
c.
Providing Information About the Remote VPN Peer
The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.
Note
In Step 2 of the VPN Wizard, perform the following steps:
Step 1
Step 2
•
Note
•
If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the standard ASDM screens.
•
Step 3
Configuring the IKE Policy
IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it also provides authentication to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.
In Step 3 of the VPN Wizard, perform the following steps:
Step 1
Note
Step 2
Configuring IPsec Encryption and Authentication Parameters
In Step 4 of the VPN Wizard, perform the following steps:
Step 1
Step 2
PFS is a cryptographic concept where each new key is unrelated to any previous key. In IPsec negotiations, Phase 2 keys are based on Phase 1 keys unless PFS is enabled. PFS uses Diffie-Hellman techniques to generate the keys.
Step 3
Specifying Hosts and Networks
Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with hosts and networks on the other side of the tunnel. Specify hosts and networks that are permitted access to the tunnel by clicking Add or Delete. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel.
In addition, identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.
In Step 5 of the VPN Wizard, perform the following steps:
Step 1
Step 2
Step 3
Step 4
Viewing VPN Attributes and Completing the Wizard
In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created.
If you are satisfied with the configuration, click Finish to apply the changes to the adaptive security appliance.
If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save.
Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM.
If you do not save the configuration changes, the old configuration takes effect the next time the device starts.
This concludes the configuration process for Security Appliance 1.
Configuring the Other Side of the VPN Connection
You have just configured the local adaptive security appliance. Next, you need to configure the adaptive security appliance at the remote site.
At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting with "Configuring the Security Appliance at the Local Site" section and finishing with "Viewing VPN Attributes and Completing the Wizard" section.
Note
For information about verifying or troubleshooting the configuration for the Site-to-Site VPN, see the section "Troubleshooting the Security Appliance" in the Cisco ASA 5500 Series Configuration Guide using the CLI.
For specific troubleshooting issues, see the Troubleshooting Technotes at the following location:
http://www.cisco.com/en/US/products/ps6120/prod_tech_notes_list.html
For help troubleshooting configuration issues, see the Configuration Examples and TechNotes at the following location:
http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html
In particular, see the technotes for Site to Site VPN (L2L) with ASA in the Troubleshooting Technotes. The troubleshooting technotes walk you through using commands like the following to troubleshoot the Site-to-site VPN configuration:
•
•
•
•
•
•
See also the Cisco ASA 5500 Series Command Reference for detailed information about each of these commands.
What to Do Next
If you are deploying the adaptive security appliance only in a site-to-site VPN environment, then you have completed the initial configuration. In addition, you may want to consider performing some of the following steps.
You can configure the adaptive security appliance for more than one application. The following sections provide configuration procedures for other common applications of the adaptive security appliance.
Configure a remote-access VPN
Chapter 9, "Scenario: IPsec Remote-Access VPN Configuration"
Configure a clientless (browser-based) SSL VPN
Configure an SSL VPN for the Cisco AnyConnect software client
Chapter 10, "Scenario: Configuring Connections for a Cisco AnyConnect VPN Client"
