Site to Site VPN with a Cisco ASA 5505
Posted in computers on January 21st, 2010 by karrthWhile this specifically refers to an ASA5505, many Cisco devices will use the same code. I will be focusing on the code specific to the VPN, but you can find the whole process here on the Cisco website:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
Overveiw
Here is an example of the configuration lines needed for a site-to-site VPN:
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0
hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)# crypto map abcmap interface outside
Next I will explain the config part by part, with links in case you’d like to actually learn the details.
ISAKMP Policy
hostname(config)# isakmp policy 1 authentication pre-share
hostname(config)# isakmp policy 1 encryption 3des
hostname(config)# isakmp policy 1 hash sha
hostname(config)# isakmp policy 1 group 2
hostname(config)# isakmp policy 1 lifetime 43200
hostname(config)# isakmp enable outside
These lines establish that:
- It is the first policy to be processed
- The VPN will be established using a pre-shared key, which we will define later.
- The encryption will be 3DES (commonly verbally referred to as “triple-des”)
- The hash used will be SHA
- The Diffie-Hellman group will be Group 2
- The lifetime is 43200 seconds
- ISAKMP is enabled on the outside interface
The key point here is that both parties in the VPN must use the same standards for their policy. You can find all of the options on Cisco’s website.
Further reading:
- Wikipedia’s Diffie-Hellman page
- Wikipedia’s ISAKMP page
- Wikipedia’s Cryptographic hash function page
- Cisco’s Diffie-Hellman Group 5 page
Transform Set
hostname(config)# crypto ipsec transform set FirstSet esp-3des esp-md5-hmac
This line creates a set of standards called “FirstSet” that uses 3DES for encryption and MD5 for authentication. Both parties must use identical transform sets for communication to occur. Your options for encryption and authentication are exactly the same as ISAKMP, except with slightly different syntax. You can find all of the options on Cisco’s website.
Access List
hostname(config)# access-list l2l_list extended permit ip 192.168.0.0 255.255.0.0 150.150.0.0 255.255.0.0
Here you define who is allowed to access your network once the VPN is established. The list is named “l2l_list”, and it allows the subnet 192.168.0.0/16 (your side) to access 150.150.0.0/16 (their side). The site you are establishing a VPN with should enter a similar line with the IP ranges switched, for example:
hostname2(config)# access-list l2l_list extended permit ip 150.150.0.0 255.255.0.0 192.168.0.0 255.255.0.0
Further reading:
- Wikipedia’s Subnetwork page
- IP Subnetting Tutorial
- Cisco’s IP Addressing and Subnetting page
- IPCalc – online version of the linux tool
Tunnel Groups
hostname(config)# tunnel-group 10.10.4.108 type ipsec-l2l
hostname(config)# tunnel-group 10.10.4.108 ipsec-attributes
hostname(config-ipsec)# pre-shared-key 44kkaol59636jnfx
Next we create the tunnel group, which is a container for your connection and security settings. The IP 10.10.4.108 is where you will be connecting to, and ipsec-l2l specifies that it will be a LAN-to-LAN. If you were creating a remote access connection, you would type ipsec-ra. Your pre-shared key should be something random, NOT what is shown here. Think of it as a password, and treat it as such. If you cannot think of a key, check out this password generator.
Crypto Maps
hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set transform-set FirstSet
hostname(config)# crypto map abcmap interface outside
Finally, we create the crypto map. Similar to the ISAKMP policy, you can specify a name like “abcmap” and set a process priority, which in this case is 1. The peer needs to be the same IP as specified in your tunnel-group above. Here is where we implement our transform-set as well, and finally set it to our outside interface.
Conclusion
Make sure you write it to memory:
hostname(config)# write memory
If you mistype a command and need to remove it, simply type “no” before the command and re-enter it. If you’d like to see all the specific options for any particular command, just type a question mark and your Cisco device should list them for you. Such as:
hostname(config)# crypto map ?
You can view the current list of active VPNs with the following command:
hostname(config)# show vpn-sessiondb (remote|l2l|svc)
For Remote, LAN-2-LAN, or SSL VPN Connections accordingly.
Have fun!