Site-to-Site VPN Setup Using Preshared Keys

To set up a site-to-site VPN tunnel, launch the VPN Wizard. The VPN Wizard guides you through an easy to follow set of configuration steps that results in a properly configured VPN tunnel.

Figure 21-2 illustrates a VPN topology between two sites, Chicago and London. The inside interface of Cisco ASA in Chicago is directly connected to the subnet, while there is another inside network,, behind Router1. The public interface's IP address is, and the default route sends all traffic to the next-hop router toward the Internet. The ASDM client with an IP address of is connected to the mgmt interface of the security Cisco ASA, which has an IP address of

Figure 21-2. Site-to-Site ASA Setup

Cisco ASA in London is set up in a similar way with two inside networks, and The public interface's IP address is

Use the following configuration steps to set up Cisco ASA in Chicago for a site-to-site tunnel using the preshared keys for IKE authentication:

Step 1.

Launch the VPN Wizard by choosing Wizards > VPN Wizard, as shown in Figure 21-3.

Figure 21-3. Launching the VPN Wizard Through the Menu Bar

You can also launch the VPN Wizard by navigating to Configuration > Wizards > VPN.

ASDM launches the VPN Wizard with the option to choose a tunnel type. Click the Site-to-Site radio button, as shown in Figure 21-4.

Figure 21-4. Choosing the Site-to-Site Tunnel Type

Because the remote peer of the site-to-site VPN tunnel resides toward the outside interface of Cisco ASA, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move to the Remote Site Peer window.

Step 2.

Specify the peer's identity.

The VPN Wizard prompts you to specify peer information, such as its public IP address and ISAKMP authentication method. In the example, the public IP address of Cisco ASA in London is, as specified in the Peer IP Address field in Figure 21-5.

Figure 21-5. Site-to-Site ASA Setup

As mentioned in Chapter 15, "Site-to-Site IPSec VPNs," Cisco ASA supports two authentication methods: preshared keys and RSA signatures (PKI). In this topology, preshared keys are used to authenticate the VPN peer. The administrator has chosen to use cisco123 as the preshared secret key for peer authentication. Click Next to move to the IKE Policy window.

Step 3.

Select the IKE policy.

Cisco ASA allows you to choose the IKE parameters such as the encryption and authentication types and the Diffie-Hellman (DH) group. In Figure 21-6, the administrator has selected 3DES for encryption, SHA for authentication, and DH group 2 for key generation. Click Next to move to the IPSec Encryption and Authentication window.

Figure 21-6. Selecting the IKE Policy



It is recommended to use AES-256 as an encryption algorithm. However, AES is a new standard and is not supported by all VPN devices. Check with the remote VPN device administrator to confirm whether it supports this standard.

Step 4.

Set up the IPSec transform set.

Configuring the IPSec transform set is accomplished by selecting an encryption and authentication algorithm. In Figure 21-7, the administrator has chosen 3DES for encryption and SHA for hash authentication. Click Next to move to the Local Hosts and Networks window.

Figure 21-7. Selecting the IPSec Transform Set


Step 5.

Identify local networks.

Select the hosts/subnets or networks to be used as the local proxy during the IPSec negotiation. Cisco ASA recognizes all the local networks, if their routes are in the routing table. You can click the . . . button to see a list of the local networks, as shown in Figure 21-8.

Figure 21-8. Selecting Networks from the List

Optionally, you may manually add an address in the IP Address field with the appropriate subnet mask. After you enter the IP address, click Add to move the address to the Selected Hosts/Networks pane, as illustrated in Figure 21-9. In this example, the administrator has added and as local networks.

Figure 21-9. Adding Selected Networks as the Local Proxy

Cisco ASA also allows you to specify the interface name or a tunnel group that identifies traffic. These options are hardly used in real-world site-to-site VPN deployments. Click Next to move to the next window.

Step 6.

Define remote networks.

The Remote Hosts and Networks window allows you to identify the remote private network. This window looks very similar to the one in Step 5. In Figure 21-10, the administrator has identified two remote private networks: and Click Next.

Figure 21-10. Adding Selected Networks as the Remote Proxy


Step 7.

Verify the site-to-site configuration.

The last step in setting up a site-to-site VPN tunnel is to verify that all the parameters are accurate. If they look correct, click Finish to complete the VPN Wizard.

If the Preview Command Before Sending to the Device option is enabled on ASDM, the entire site-to-site configuration is displayed before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-1 shows the site-to-site configuration generated by ASDM. ASDM does not add comments, but they are added here for ease of understanding.

Example 21-1. Complete Site-to-Site Configuration Sent by ASDM

!Access-list to bypass Address Translation

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

access-list inside_nat0_outbound extended permit ip

!Access-list is linked to NAT 0

nat (inside) 0 access-list inside_nat0_outbound

!IPSec transform-set for data encryption

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!Access-list to define interesting traffic for the encryption process

access-list outside_cryptomap_20 extended permit ip

access-list outside_cryptomap_20 extended permit ip

access-list outside_cryptomap_20 extended permit ip

access-list outside_cryptomap_20 extended permit ip

!Crypto map configuration

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-SHA

!Crypto map is applied to the outside interface

crypto map outside_map interface outside

!ISAKMP Phase 1 policy

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!Tunnel-group configuration to set as a site-to-site peer

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

 pre-shared-key *

!Sysopt to bypass packet filtration

sysopt connection permit-ipsec

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: