Setting up site-to-site VPN with Cisco ASA firewalls - Need help!

jasonroy1565 · ‎09-25-2023

Hello Cisco Community,

I'm currently facing some challenges in configuring a site-to-site VPN between two Cisco ASA firewalls, and I'm seeking guidance and expertise from the community.

Description:
I have two Cisco ASA firewalls (ASA 5500-X Series) and I need to establish a secure site-to-site VPN connection between them. The purpose is to securely connect two separate networks located in different physical locations. I've attempted to configure the VPN tunnel following the Cisco documentation, but I'm encountering issues and the VPN connection is not establishing successfully.

Here are some specific areas where I need assistance:

Initial configuration: What are the essential configuration settings required on both ASA firewalls to enable the site-to-site VPN functionality?
VPN parameters: How do I correctly define the encryption algorithms, authentication methods, and Diffie-Hellman group for the VPN tunnel?
Access control: How can I configure the necessary access control rules and firewall policies to permit traffic between the two networks?
Troubleshooting: What are the recommended troubleshooting steps and commands to identify and resolve any potential connectivity or configuration issues?
I have reviewed the Cisco documentation, but I'm still facing difficulties in getting the VPN connection up and running. I would greatly appreciate any guidance, step-by-step instructions, or sample configuration examples that can help me successfully configure the site-to-site VPN using Cisco ASA firewalls.

Thank you in advance for your valuable assistance!

MHM Cisco World · ‎09-25-2023

https://www.google.com/amp/s/www.packetswitch.co.uk/cisco-asa-site-to-site-vpn/amp/

Blue_Bird · ‎09-25-2023

Step 1:- Create Crypto Ikev1 Policy
------------------------------------------
In this step, we will configure the HAGLE information.
Hash, authentication, group, encryption must be the same on both sides.
ASA1(config)# crypto ikev1 policy 10

ASA1(config-ikev1-policy)# hash sha

ASA1(config-ikev1-policy)# authentication pre-share

ASA1(config-ikev1-policy)# group 2

ASA1(config-ikev1-policy)# lifetime 86400

ASA1(config-ikev1-policy)# encryption 3des

Step 2:- Create A Tunnel-Group To Specify A Pre-Shared Key For Peer
-----------------------------------------------------------------------
The pre-shared key should be the same on both sides
To create a tunnel group, there are two steps :
Create tunnel-group
--------------------
ASA1(config)# tunnel-group 102.1.1.10 type IPsec-l2l

Specify pre-shared key in tunnel-group
---------------------------------------
ASA1(config)# tunnel-group 102.1.1.10 IPsec-attributes

ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key cisco

Step 3:- Create IPsec Transform-Set
-----------------------------------
ASA1(config)# crypto ipsec ikev1 transform-set TSET esp-3des esp-sha-hmac

Step 4:- Define Interesting Traffic ACCESS-LIST
---------------------------------------------------
Traffic which we want to secure via VPN that is Interesting traffic (192.168.1.1 and 192.168.2.1)

ASA1(config)# access-list VPN-ACL permit Ip host 192.168.1.1 host 192.168.2.1

Step 5:- Create A Crypto Map
--------------------------------
It is used to create a particular list of VPN ACCESS-LIST, TRANSFORM-SET, and PEER IP.

ASA1(config)# crypto map CMAP 10 set peer 102.1.1.10

ASA1(config)# crypto map CMAP 10 set ikev1 transform-set TSET

ASA1(config)# crypto map CMAP 10 match address VPN-ACL

Step 6:- Enable IKEV1 And Apply Crypto Map On The Interface
-------------------------------------------------------------
ASA1(config)# crypto map CMAP interface outside

ASA1(config)# crypto ikev1 enable outside

Step 7:- Apply Same Steps For Branch 2 ASA Device
-----------------------------------------------------
Ip addresses may not same as your requirement...you can change or replace it correct one's

Best regards
******* If This Helps, Please Rate *******