Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router

Today I am going to talk about the configuration of Site to site IPSEC tunnel between the Cisco ASA and Cisco IOS based router. I am writing this article as some of you have queries to understand how it works and what will be the configurations on ASA (Cisco Adaptive Security Appliance) and on Cisco IOS based router. 

As of the example I am taking the topology and the IP in the topology which is irrelevant to any of the enterprise networks and has no relevance to any of the service provider either.

For an example we are taking Cisco 1900 router and Cisco 5512-X Series ASA  that runs software Version 9.4. We will configure ASA first and then we will configure Cisco 1900 router. Below is the sample topology for the reference which includes ASA and Cisco router.

Fig 1.1- Site to Site VPN

So in the above scenario, we have ASA on left side of the topology and Router is on the right side of the topology. The users are connected beyond the router and the ASA. We have internet as a medium between them and we will have to configure the tunnel between ASA and router which should be IPSEC as one of the most secure tunnel on to the internet. 

Let's have configuration on ASA device first and 

Configuration ASA 

!

//Configuring IP addresses to the interface GigabitEthernet0/0

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 172.16.1.1 255.255.255.0

!

//Configuring IP addresses to the interface GigabitEthernet0/1

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.10.10.1 255.255.255.0

!

//Configure the ACL for the VPN Traffic of Interest

object-group network local-network

 network-object 10.10.10.0 255.255.255.0

object-group network remote-network

 network-object 10.20.10.0 255.255.255.0

!

access-list asa-router-vpn extended permit ip object-group local-network

 object-group remote-network

!

//Configuring NAT and Configure the IKEv1 Transform Set

nat (inside,outside) source static local-network local-network destination

 static remote-network remote-network no-proxy-arp route-lookup

!

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

//Configure a Crypto Map and Apply it to an Interface

crypto map outside_map 10 match address asa-router-vpn

crypto map outside_map 10 set peer 172.17.1.1

crypto map outside_map 10 set ikev1 transform-set ESP-AES-SHA

crypto map outside_map interface outside

!

Let's now configure the Cisco 1900 router to get the site to site tunnel up and running 

Configuration on Cisco Router

!

crypto isakmp policy 10

 encr aes

 authentication pre-share

 group 2

crypto isakmp key cisco123 address 172.16.1.1

!

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

 mode tunnel

!

crypto map outside_map 10 ipsec-isakmp

 set peer 172.16.1.1

 set transform-set ESP-AES-SHA

 match address 110

!

interface GigabitEthernet0/0

 ip address 172.17.1.1 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

 duplex auto

 speed auto

 crypto map outside_map

!

interface GigabitEthernet0/1

 ip address 10.20.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

 duplex auto

 speed auto

!

ip nat inside source route-map nonat interface GigabitEthernet0/0 overload

!

route-map nonat permit 10

 match ip address 111

!

access-list 110 remark Interesting traffic access-list

access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 111 remark NAT exemption access-list

access-list 111 deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 111 permit ip 10.20.10.0 0.0.0.255 any

!