To set up a site-to-site VPN tunnel, launch the VPN Wizard. The VPN Wizard guides you through an easy to follow set of configuration steps that results in a properly configured VPN tunnel.
Figure 21-2 illustrates a VPN topology between two sites, Chicago and London. The inside interface of Cisco ASA in Chicago is directly connected to the 192.168.10.0/24 subnet, while there is another inside network, 192.168.20.0/24, behind Router1. The public interface's IP address is 188.8.131.52/27, and the default route sends all traffic to the next-hop router toward the Internet. The ASDM client with an IP address of 172.18.124.100 is connected to the mgmt interface of the security Cisco ASA, which has an IP address of 172.18.124.205.
Figure 21-2. Site-to-Site ASA Setup
Cisco ASA in London is set up in a similar way with two inside networks, 192.168.30.0/24 and 192.168.40.0/24. The public interface's IP address is 184.108.40.206/27.
Use the following configuration steps to set up Cisco ASA in Chicago for a site-to-site tunnel using the preshared keys for IKE authentication:
Launch the VPN Wizard by choosing Wizards > VPN Wizard, as shown in Figure 21-3.
Figure 21-3. Launching the VPN Wizard Through the Menu Bar
You can also launch the VPN Wizard by navigating to Configuration > Wizards > VPN.
ASDM launches the VPN Wizard with the option to choose a tunnel type. Click the Site-to-Site radio button, as shown in Figure 21-4.
Figure 21-4. Choosing the Site-to-Site Tunnel Type
Because the remote peer of the site-to-site VPN tunnel resides toward the outside interface of Cisco ASA, the Outside interface is chosen from the drop-down menu in the VPN Tunnel Interface field. Click Next to move to the Remote Site Peer window.
Specify the peer's identity.
Figure 21-5. Site-to-Site ASA Setup
As mentioned in Chapter 15, "Site-to-Site IPSec VPNs," Cisco ASA supports two authentication methods: preshared keys and RSA signatures (PKI). In this topology, preshared keys are used to authenticate the VPN peer. The administrator has chosen to use cisco123 as the preshared secret key for peer authentication. Click Next to move to the IKE Policy window.
Select the IKE policy.
Figure 21-6. Selecting the IKE Policy
It is recommended to use AES-256 as an encryption algorithm. However, AES is a new standard and is not supported by all VPN devices. Check with the remote VPN device administrator to confirm whether it supports this standard.
Set up the IPSec transform set.
Figure 21-7. Selecting the IPSec Transform Set
Identify local networks.
Figure 21-8. Selecting Networks from the List
Optionally, you may manually add an address in the IP Address field with the appropriate subnet mask. After you enter the IP address, click Add to move the address to the Selected Hosts/Networks pane, as illustrated in Figure 21-9. In this example, the administrator has added 192.168.10.0/24 and 192.168.20.0/24 as local networks.
Figure 21-9. Adding Selected Networks as the Local Proxy
Cisco ASA also allows you to specify the interface name or a tunnel group that identifies traffic. These options are hardly used in real-world site-to-site VPN deployments. Click Next to move to the next window.
Define remote networks.
Figure 21-10. Adding Selected Networks as the Remote Proxy
Verify the site-to-site configuration.
If the Preview Command Before Sending to the Device option is enabled on ASDM, the entire site-to-site configuration is displayed before being sent to the security Cisco ASA. If the configuration looks accurate, click Send to push it to Cisco ASA. Example 21-1 shows the site-to-site configuration generated by ASDM. ASDM does not add comments, but they are added here for ease of understanding.
Example 21-1. Complete Site-to-Site Configuration Sent by ASDM
!Access-list to bypass Address Translation access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0 !Access-list is linked to NAT 0 nat (inside) 0 access-list inside_nat0_outbound !IPSec transform-set for data encryption crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !Access-list to define interesting traffic for the encryption process access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.10.0 255.255.255.0 192.168.40.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.30.0 255.255.255.0 access-list outside_cryptomap_20 extended permit ip 192.168.20.0 255.255.255.0 192.168.40.0 255.255.255.0 !Crypto map configuration crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 220.127.116.11 crypto map outside_map 20 set transform-set ESP-3DES-SHA !Crypto map is applied to the outside interface crypto map outside_map interface outside !ISAKMP Phase 1 policy isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 !Tunnel-group configuration to set 18.104.22.168 as a site-to-site peer tunnel-group 22.214.171.124 type ipsec-l2l tunnel-group 126.96.36.199 ipsec-attributes pre-shared-key * !Sysopt to bypass packet filtration sysopt connection permit-ipsec
Part I: Product Overview
Introduction to Network Security
Part II: Firewall Solution
Initial Setup and System Maintenance
Network Access Control
Authentication, Authorization, and Accounting (AAA)
Failover and Redundancy
Quality of Service
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
Configuring and Troubleshooting Cisco IPS Software via CLI
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
Remote Access VPN
Public Key Infrastructure (PKI)
Part V: Adaptive Security Device Manager
Introduction to ASDM
Firewall Management Using ASDM
IPS Management Using ASDM
VPN Management Using ASDM