Configuring Site-to-Site VPN in ASA firewall

VPN is used to create a secure connection over an insecure network (Internet).The internet is an insecure medium, so the data pass through the internet cannot be reliable. We cannot be sure about the security of the data. To provide security of the data through internet, we can use VPN.

There is a wide variety of VPNs available nowadays. The VPN supportedby the appliance include

 IPSec VPN

SSL VPN(web VPN)

PPTP (Point to Point Tunneling Protocol)

L2TP (Layer 2 Tunneling Protocol)

What is a Site-to-Site VPN?

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

For the Site-to Site VPN we have to configure in both ends (firewalls).

The configuration of VPN is a two step process.

1. IPSec Phase 1 configuration
2. IPSec Phase 2 configuration 

Configuration of IPSec Site-to-Site VPN

You can configure the same Site-to-Site VPN using the ASDM. But I prefer to use the CLI.

I hope you already know something about the ISAKMP process and the steps it would take for initiating a connection. So we are not going to discuss that in this scenario.

First we have to set IP and Routing in all these Devices. We will use OSPF protocol for routing.

R2 Router

R2#conf t

R2(config)#interface e1/0

R2(config-if)#ip add 10.0.0.2 255.0.0.0

R2(config-if)#no shut

R2(config-if)#exit

R2(config)#router ospf 1

R2(config-router)#network 10.0.0.0 255.0.0.0 area 0

R3 Router

R3#conf t

R3(config)#interface e1/0

R3(config-if)#ip add 30.0.0.2 255.0.0.0

R3(config-if)#no shut

R3(config-if)#exit

R3(config)#router ospf  1

R3(config-router)#network 30.0.0.0 255.0.0.0 area 1

ASA1

Asa#config t

Asa(config)#int e0/0

Asa(config-if)#ip add 10.0.0.1 255.0.0.0

Asa(config-if)#nameif inside

Asa(config-if)#no shut

Asa(config-if)#exit

Asa(config)#int e0/1

Asa(config-if)#ip add 20.0.0.1 255.0.0.0

Asa(config-if)#nameif outside

Asa(config-if)#no shut

Asa(config-if)#exit

Asa(config)#router ospf 1

Asa(config-router)#network 10.0.0.0 255.0.0.0 area 0

Asa(config-router)#network 20.0.0.0 255.0.0.0 area 1

Asa(config-router)#exit

we will add an access list that will permit the ICMP protocol. It would be helpful if we allow the ping request to pass through your appliance.

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo-reply

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any source-quench

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any time-exceeded

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any unreachable

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any

Asa (config)#access-group  INBOUND_ACL in interface outside

Now we will create an ISAKMP policy 

Asa(config)#crypto isakmp policy 1

Asa(config-isakmp-policy)#authentication pre-share

Asa(config-isakmp-policy)#encryption aes-256

Asa(config-isakmp-policy)#hash sha

Asa(config-isakmp-policy)#group 2

Asa(config-isakmp-policy)#lifetime 86400

Asa(config-isakmp-policy)#exit

Asa(config)#tunnel-group  20.0.0.2  type   ipsec-l2l

Asa(config)#tunnel-group   20.0.0.2  ipsec-attributes

Asa(config-tunnel-ipsec)#pre-shared-key    cisco

Asa(config)#access-list encrypt_acl extended permit ip 30.0.0.0 255.0.0.0   10.0.0.0 255.0.0.0

Asa(config)#nat    (inside)   0   access-list encrypt-acl

Asa(config)#crypto    ipsec   transform-set    myset    esp-aes-256  esp-sha-hmac

Asa(config)#crypto   map   IPSECMAP   10  match   address   encrypt_acl

Asa(config)#crypto   map   IPSECMAP   10  set peer    20.0.0.2

Asa(config)#crypto   map   IPSECMAP   10 set  transform-set  myset

Asa(config)#crypto   map   IPSECMAP   interface outside

Asa(config)#crypto   isakmp  enable  outside

We have to do the same configurations in the second ASA also, make sure you are typing the same pre-shared key and encryption algorithm and also pay attention to the lifetime.

ASA2

Asa#config t

Asa(config)#int e0/1

Asa(config-if)#ip add 30.0.0.1 255.0.0.0

Asa(config-if)#nameif inside

Asa(config-if)#no shut

Asa(config-if)#exit

Asa(config)#int e0/0

Asa(config-if)#ip add 20.0.0.2 255.0.0.0

Asa(config-if)#nameif outside

Asa(config-if)#no shut

Asa(config-if)#exit

Asa(config)#router ospf 1

Asa(config-router)#network 30.0.0.0 255.0.0.0 area 1

Asa(config-router)#network 20.0.0.0 255.0.0.0 area 1

Asa(config-router)#exit

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any echo-reply

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any source-quench

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any time-exceeded

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any unreachable

Asa (config)#access-list  INBOUND_ACL extended permit icmp any any

Asa (config)#access-group  INBOUND_ACL extended in interface outside

Asa(config)#crypto isakmp policy 1

Asa(config-isakmp-policy)#authentication pre-share

Asa(config-isakmp-policy)#encryption aes-256

Asa(config-isakmp-policy)#hash sha

Asa(config-isakmp-policy)#group 2

Asa(config-isakmp-policy)#lifetime 86400

Asa(config-isakmp-policy)#exit

Asa(config)#tunnel-group  20.0.0.1  type   ipsec-l2l

Asa(config)#tunnel-group   20.0.0.1  ipsec-attributes

Asa(config-tunnel-ipsec)#pre-shared-key    cisco

Asa(config)#access-list encrypt_acl extended permit ip 10.0.0.0 255.0.0.0   30.0.0.0 255.0.0.0

Asa(config)#nat    (inside)   0   access-list encrypt-acl

Asa(config)#crypto    ipsec   transform-set    myset    esp-aes-256  esp-sha-hmac

Asa(config)#crypto   map   IPSECMAP   10  match   address   encrypt_acl

Asa(config)#crypto   map   IPSECMAP   10  set peer    20.0.0.1

Asa(config)#crypto   map   IPSECMAP   10 set  transform-set  myset

Asa(config)#crypto   map   IPSECMAP   interface outside

Asa(config)#crypto   isakmp  enable  outside

In these commands we set VPN for the IP traffic.

If we need to check the ICMP traffic…then you have to permit ICMP traffic through VPN

For that in each ASA please enter this command

Ciscoasa(config)#access-list   encrypt_acl   extended permit   icmp   any   any

For verifying the VPN use the command

Ciscoasa(config)#debug   crypto   isakmp   127

 After setting all these configuration and if you start a ping from one router to another. It will trigger the VPN tunnel and automatically start the site-to-site VPN.