Setting up a Site-to-Site VPN between Cisco ASA’s Using the CLI

What is a site to site VPN used for?

Site to site VPN tunnels are static tunnels setup between two network devices over the internet to allow multiple locations behind different firewalls access the same internal resources over a secure tunnel across the internet.

How is it different from Remote Access VPN?

Remote access VPN is primarly used for remote workers to access internal resources from outside the network. This type of VPN involves a software client configured on a user’s PC to contact the security gateway (ASA) or other device and establish a secure tunnel dynamically between the security gateway and the user’s software client so that the user’s traffic exiting their PC is tunneled through the VPN setup by the software client on the PC.

Network setup:

In our example we have two Cisco ASA firewalls running 8.3(x) code or below. There are slight command differences in newer code versions so for the purposes of this post we’ll cover the steps used in this code version and earlier.  They are labeled Site1 and Site2 respectively. See diagram below.

site to site
The creation of a Site-to-Site tunnel can be broken into the 5 steps below.

In addition to these steps, if you don’t already have any VPN setup on your firewall you need to verify that you have IKE enabled on your outside interface by issuing ‘show run crypto’ and verifying you have ‘crypto isakmp enable outside’ entered in your config.

  1. Identify interesting traffic, create NAT exemptions, enable IKE on outside interface
  2. Create Tunnel Groups
  3. Create crypto policy for IKE PHASE 1
  4. Create transform set for IPSEC tunnel
  5. Create cryptomap to tie it all together; apply to outside interface

Step1:

Identifying Interesting traffic, and creating nat exemption rules for tunneled traffic

The first step in creating a site-to-site tunnel is to identify the src and dst traffic on the Site1 firewall that you want to traverse the VPN tunnel you’re about to create.

This is known as ‘interesting traffic’ and is identified with the use of an access-list.

access-list Site2_Bound line 1 extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

This access list defines the ‘interesting traffic’ that you want to traverse the VPN tunnel. There is also one more thing to take into consideration at this point, in most cases a firewall serves as a NAT device for outgoing traffic, but in the case of a site to site tunnel you do not want your private addresses to be natted when it exits on a tunnel. This allows Site2 to access a device by the same address that a device behind Site1’s firewall would use.

In order to do this you have to ensure the address ranges from Site1 are excluded from NAT with a ‘nonat’ access-list that is applied in your NAT configuration on your firewall.

access-list nonat1 extended permit ip 192.168.1.0 255.255.255.0 10.10.1.0 255.255.255.0

This access list is applied using the command below.

nat (inside) 0 access-list nonat1

Note: If you already have an existing ‘nonat’ access-list setup and applied for other purposes in your config, you would simply add the ‘nonat1’ access lists entries to your existing ACL that’s already applied.

Step 2:

Creating the tunnel group

The tunnel group configures the type of tunnel, ipsec-l2l (site-to-site),  the IP address of the Site2 ASA’s outside interface that you wish to peer with, as well as configured the pre shared secret that has to be the same on both devices in order for the tunnel to set up and keepalive settings.

Create tunnel group for the new site-to-site tunnel.

tunnel-group 172.16.10.1 type ipsec-l2l
tunnel-group 172.16.10.1 ipsec-attributes
     pre-shared key SuperS3cr3t!
     isakmp keepalive threshold 10 retry 2

Step 3:

Creating a crypto policy for IKE

This step configures a crypto policy for IKE that sets various PHASE 1 settings that dictate how the IKE tunnel is setup. This crypto map ses the authentication type to use pre shared keys between the two endpoints, use 3DES encryption and SHA hashing, as well as using diffie hellman group for key exchange and a lifetime of 86500 seconds, or 24 hours.

Note: If you have multiple IKE crypto policies in place, the lower the policy number the more preferred it is. You could have a policy with the sequence number of 20 for example with different settings and that would be of lower priority to this policy ’10’ below.

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Step 4:

Create the transform set for the IPSEC tunnel (PHASE 2)

This step sets the parameters for the IPSEC tunnel creation once the PHASE 1 tunnel is completed. A VPN tunnel is actually 2 separate tunnels, there is an IKE phase 1 tunnel that is setup first that deals with creating a secure pipe to the other endpoint, and the PHASE 2 tunnel is an IPSEC tunnel that transfers the actual payload across to the other endpoint.

This command specifies 3DES be used for encryption and SHA for hashing for traffic traversing the IPSEC tunnel

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Step 5:

Creating and applying a crypto map

The final step ties all of the previous commands you entered together into a crypto map that is applied to the outside interface of the firewall. You can only have 1 crypto map applied to your outside interface at a time, so if you already have an existing crypto map in place and applied you will have to use the same crypto map name. To add a new entry to an existing crypto map you just change the sequence number in the map so it’s unique.

Below are the commands for entering a crypto map:

crypto map Map1 15 match address Site2_Bound
crypto map Map1 15 set pfs group2
crypto map Map1 15 set peer 172.16.10.1
crypto map Map1 15 set transform-set ESP-3DES-SHA

The final command to enter is to ensure that the crypto map you created/modified is applied to your outside interface using following command.

crypto map Map1 interface outside

These steps complete the configuration required on the Site1 ASA, now you just create a mirror image of these commands on the Site2 ASA by simply changing the access-list and peering IP address and entering the same config on the Site2 ASA.

A couple of helpful commands to issue after you’ve completed the config on both ASA’s are below. These can help you verify the IKE phase 1 tunnel and the IPSEC phase 2 tunnels are both up and passing traffic. These each show ike and ipsec security associations, or tunnels that are up.

show crypto isakmp sa

show crypto ipsec sa

Using site to site tunnels can be very helpful in extending a network across a large geographic region in situations where a leased line or direct connection may not be feasible. Site to site tunnels are not limited to only Cisco devices,  site to site tunnels are supported by a variety of firewall vendors and the feature is even available on some routers. Hopefully, you now have enough information to get started setting this up on your own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s