Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router
Today I am going to talk about the configuration of Site to site IPSEC tunnel between the Cisco ASA and Cisco IOS based router. I am writing this article as some of you have queries to understand how it works and what will be the configurations on ASA (Cisco Adaptive Security Appliance) and on Cisco IOS based router.
As of the example I am taking the topology and the IP in the topology which is irrelevant to any of the enterprise networks and has no relevance to any of the service provider either.
For an example we are taking Cisco 1900 router and Cisco 5512-X Series ASA that runs software Version 9.4. We will configure ASA first and then we will configure Cisco 1900 router. Below is the sample topology for the reference which includes ASA and Cisco router.
So in the above scenario, we have ASA on left side of the topology and Router is on the right side of the topology. The users are connected beyond the router and the ASA. We have internet as a medium between them and we will have to configure the tunnel between ASA and router which should be IPSEC as one of the most secure tunnel on to the internet.
Let's have configuration on ASA device first and
Configuration ASA
As of the example I am taking the topology and the IP in the topology which is irrelevant to any of the enterprise networks and has no relevance to any of the service provider either.
For an example we are taking Cisco 1900 router and Cisco 5512-X Series ASA that runs software Version 9.4. We will configure ASA first and then we will configure Cisco 1900 router. Below is the sample topology for the reference which includes ASA and Cisco router.
Fig 1.1- Site to Site VPN |
Let's have configuration on ASA device first and
Configuration ASA
!
//Configuring IP addresses to the interface GigabitEthernet0/0
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
//Configuring IP addresses to the interface GigabitEthernet0/1
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
//Configure the ACL for the VPN Traffic of Interest
object-group network local-network
network-object 10.10.10.0 255.255.255.0
object-group network remote-network
network-object 10.20.10.0 255.255.255.0
!
access-list asa-router-vpn extended permit ip object-group local-network
object-group remote-network
!
//Configuring NAT and Configure the IKEv1 Transform Set
nat (inside,outside) source static local-network local-network destination
static remote-network remote-network no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
//Configure a Crypto Map and Apply it to an Interface
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 172.17.1.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
!
Let's now configure the Cisco 1900 router to get the site to site tunnel up and running
Configuration on Cisco Router
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key cisco123 address 172.16.1.1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode tunnel
!
crypto map outside_map 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set ESP-AES-SHA
match address 110
!
interface GigabitEthernet0/0
ip address 172.17.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
ip address 10.20.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
!
route-map nonat permit 10
match ip address 111
!
access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 remark NAT exemption access-list
access-list 111 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 10.20.10.0 0.0.0.255 any
!