Cisco :: Configuring Site-to-Site VPN’s on ASA Firewalls

In this video session, I cover how to configure L2L VPN’s on Cisco ASA Firewalls. 

I have included the presentation from the video along with the essential configurations used to create a L2L VPN.

Configuration Used

***ASAv1***

ASA Version 9.8(3) 
!
hostname ASAv1
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 209.168.100.1 255.255.255.252 
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.10.1 255.255.255.0 
!
object network SITE1
 subnet 192.168.10.0 255.255.255.0
object network SITE2
 subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE1 object SITE2 

nat (INSIDE,OUTSIDE) source static SITE1 SITE1 destination static SITE2 SITE2 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.100.2 1

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.200.1 
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 84600

tunnel-group 209.168.200.1 type ipsec-l2l
tunnel-group 209.168.200.1 ipsec-attributes
 ikev1 pre-shared-key cisco
***ISP ROUTER***
hostname ISP
!
interface GigabitEthernet0/0
 ip address 209.168.100.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 209.168.200.2 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
!
ip route 192.168.10.0 255.255.255.0 209.168.100.1
ip route 192.168.20.0 255.255.255.0 209.168.200.1
***ASAv2***

ASA Version 9.8(3) 
!
hostname ASAv2
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 209.168.200.1 255.255.255.252 
!
interface GigabitEthernet0/2
 nameif INSIDE
 security-level 100
 ip address 192.168.20.1 255.255.255.0 
!
object network SITE1
 subnet 192.168.10.0 255.255.255.0
object network SITE2
 subnet 192.168.20.0 255.255.255.0
access-list crypto extended permit ip object SITE2 object SITE1 

nat (INSIDE,OUTSIDE) source static SITE2 SITE2 destination static SITE1 SITE1 no-proxy-arp route-lookup
route OUTSIDE 0.0.0.0 0.0.0.0 209.168.200.2 1

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map cryptomap 10 match address crypto
crypto map cryptomap 10 set peer 209.168.100.1 
crypto map cryptomap 10 set ikev1 transform-set myset
crypto map cryptomap 10 set security-association lifetime seconds 84600
crypto map cryptomap interface OUTSIDE

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 84600

tunnel-group 209.168.100.1 type ipsec-l2l
tunnel-group 209.168.100.1 ipsec-attributes
 ikev1 pre-shared-key cisco

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.