For Sponsored Posts & Articles, please email us on 📧 networks.baseline@gmail.com

Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router

Today I am going to talk about the configuration of Site to site IPSEC tunnel between the Cisco ASA and Cisco IOS based router. I am writing this article as some of you have queries to understand how it works and what will be the configurations on ASA (Cisco Adaptive Security Appliance) and on Cisco IOS based router. 

As of the example I am taking the topology and the IP in the topology which is irrelevant to any of the enterprise networks and has no relevance to any of the service provider either.

For an example we are taking Cisco 1900 router and Cisco 5512-X Series ASA  that runs software Version 9.4. We will configure ASA first and then we will configure Cisco 1900 router. Below is the sample topology for the reference which includes ASA and Cisco router.

Fig 1.1- Site to Site VPN
So in the above scenario, we have ASA on left side of the topology and Router is on the right side of the topology. The users are connected beyond the router and the ASA. We have internet as a medium between them and we will have to configure the tunnel between ASA and router which should be IPSEC as one of the most secure tunnel on to the internet. 

Let's have configuration on ASA device first and 

Configuration ASA 
!
//Configuring IP addresses to the interface GigabitEthernet0/0
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
//Configuring IP addresses to the interface GigabitEthernet0/1
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0
!
//Configure the ACL for the VPN Traffic of Interest
object-group network local-network
 network-object 10.10.10.0 255.255.255.0
object-group network remote-network
 network-object 10.20.10.0 255.255.255.0
!
access-list asa-router-vpn extended permit ip object-group local-network
 object-group remote-network
!
//Configuring NAT and Configure the IKEv1 Transform Set
nat (inside,outside) source static local-network local-network destination
 static remote-network remote-network no-proxy-arp route-lookup
!
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
//Configure a Crypto Map and Apply it to an Interface
crypto map outside_map 10 match address asa-router-vpn
crypto map outside_map 10 set peer 172.17.1.1
crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA
crypto map outside_map interface outside
!

Let's now configure the Cisco 1900 router to get the site to site tunnel up and running 

Configuration on Cisco Router
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco123 address 172.16.1.1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto map outside_map 10 ipsec-isakmp
 set peer 172.16.1.1
 set transform-set ESP-AES-SHA
 match address 110
!
interface GigabitEthernet0/0
 ip address 172.17.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map outside_map
!
interface GigabitEthernet0/1
 ip address 10.20.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
!
route-map nonat permit 10
 match ip address 111
!
access-list 110 remark Interesting traffic access-list
access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 remark NAT exemption access-list
access-list 111 deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 10.20.10.0 0.0.0.255 any

!