1. Overview
In the previous article we had talked about configuring IPSec VPN site-to-site between head office and branch office with two Cisco ASA firewall appliances. Sometime, there is a case that both sites are not using the same devices.
In this article will show you how to configure IPSec VPN site-to-site between Cisco ASA firewall appliance and Cisco Router.
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
b. You need to understand about encryption and authentication that happen at phase 1 and phase 2 of IPSec VPN.
3. Lab Scenario Set up
The following network diagram of GNS3 Lab will be used to demonstrate configuring IPSec VPN site-to-site between Cisco ASA firewall with IOS version 9.x and Cisco router.
Cisco ASA firewall appliances, with host name HOFW01 locates in head office and Cisco router with host name BORT1 locates in branch office. There is one router act as internet. The following is the IP configuration of each device.
On PC1
PC1> ip 10.10.10.10/24 10.10.10.1
On HOFW01
#int g0/0 no sh ip add 10.10.10.1 255.255.255.0 security-level 100 nameif inside #int g0/1 no sh ip add 203.200.200.2 255.255.255.252 security-level 0 nameif outside #policy-map global_policy class inspection_default inspect icmp inspect icmp erro
On Internet router
#int f0/0 no sh ip add 203.200.200.1 255.255.255.252 #in f0/1 no sh ip add 117.168.100.1 255.255.255.252
On BORT01
#int f0/0 no sh ip add 172.16.20.1 255.255.255.0 #in f0/1 no sh ip add 117.168.100.2 255.255.255.252
On PC2
PC1> ip 172.16.20.10/24 172.16.20.1
4. IPSec VPN Site-to-Site Form
The following is the information that IPSec VPN site-to-site will be used to in the configuration.
| Firewall Type | Head Office | Branch Office |
| Manufacturer | Cisco | Cisco |
| Model | ASA 5555-X | Router |
| Version | 9.4 | 12.4(15)T13 |
| Configuration | Head Office | Branch Office | ||
| Phase 1 | ||||
| IKE Encryption Algorithm | 3DES | 3DES | ||
| IKE Hash Algorithm | SHA-1 | SHA-1 | ||
| IKE Security Lifetime | 86400 | 86400 | ||
| Diffie-Hellman Group | 2 | 2 | ||
| Pre-shared key | vpn@Ho2Bo | vpn@Ho2Bo | ||
| Phase 2 | ||||
| IPSEC security protocol | ESP | ESP | ||
| IPSEC Encryption Algorithm | 3DES | 3DES | ||
| IPSEC Hash Algorithm | MD5 | MD5 | ||
| IPSEC Security Lifetime (Optional) | □ 14400 □ 28800 (default) □ 86400 □ Other:………. | □ 14400 □ 28800 (default) □ 86400 □ Other: ………. | ||
| Perfect Forward Secrecy(PFS) (Optional) | PFS □ No □Yes | Group □ 2(default) □ 5 □ 7 | PFS □ No □ Yes | Group □ 2 (default) □ 5 □ 7 |
| IP Addressing | Head Office | Branch Office |
| Peer IP address | 203.200.200.2 | 117.168.100.2 |
| Local IP address | 10.10.10.10/32 | 172.16.20.10/32 |
5. Configuration
5.1 Configure Default Route
Apply the the following default router configuration
On HOFW01
#route outside 0 0 203.200.200.1
On BORT01
#ip route 0.0.0.0 0.0.0.0 117.168.100.1
Now both HOFW01 and BORT01 should be able to ping their public IP each other.
5.2 Set Up ISAKMP Policy
Configure IKE to negotiate an security SA (Security Association) relationship with the peer. It will encrypted communication channels between the two VPN endpoints. Apply the following command.
On HOFW01
#crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
On BORT01
#crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
5.3 Create IPSec Transform Set
Next we need to create a transform set to establishes the encryption and authentication for IPSec tunnel. Apply the follow configuration on HOFW01 to create a transform set name “HO-TRSET01-3DES-MD5”.
#crypto ipsec ikev1 transform-set HO-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
Apply the follow configuration on BORT01 to create a transform set name “BO-TRSET01-3DES-MD5”.
#crypto ipsec transform-set BO-TRSET01-3DES-MD5 esp-3des esp-md5-hmac
5.4 Create ACL For VPN Tunnel
To match the traffic for IPSec VPN tunnel, an ACL must be created.
Create the following ACL on HOFW01.
#object-group network HO-Server network-object host 10.10.10.10 #object-group network BO-Server network-object host 172.16.20.10 #access-list ACL-HO2BO extended permit ip object-group HO-Server object-group BO-Server
Create the following ACL on BORT01.
#ip access-list extended ACL-BO2HO permit ip host 172.16.20.10 host 10.10.10.10
5.5 Create VPN Tunnel Group
Create a tunnel group for IPSec VPN site-to-site connection. Pre-shred key authentication is to be configured here.
On HOFW01
#tunnel-group 117.168.100.2 type ipsec-l2l #tunnel-group 117.168.100.2 ipsec-attributes ikev1 pre-shared-key vpn@Ho2Bo
On BORT01
#crypto isakmp key 0 vpn@Ho2Bo address 203.200.200.2
5.6 Configure and Apply Crypto Map
Now come to the final step that we need to configure the crypto map to combine IPsec transform set, access list, and tunnel group configured in the previous steps for that specific VPN peer and apply it to the interface that connected to the internet.
The following are the commands to be executed
On HOFW01
#crypto map HO-VPN 1 match address ACL-HO2BO #crypto map HO-VPN 1 set peer 117.168.100.2 #crypto map HO-VPN 1 set ikev1 transform-set HO-TRSET01-3DES-MD5 #crypto map HO-VPN interface outside #crypto ikev1 enable outside
On BORT01
#crypto map BO-VPN 1 ipsec-isakmp set peer 203.200.200.2 set transform-set BO-TRSET01-3DES-MD5 match address ACL-BO2HO #interface FastEthernet0/1 crypto map BO-VPN
5.7 Test and Verify the Configuration
To bring up the IPSec VPN site-to-site tunnel, we need to ping the IP address of the host in the remote site. Let test to ping from PC1 in head office to PC2 in branch office.
As we are successful to ping IP of host on the remote site, the IPSec VPN tunnel should be up and running now. We can verify it with the following command on HOFW01.
#sh vpn-sessiondb detail l2l filter ipaddress 117.168.100.2
*** 10 is the IPSec Security Lifetime. Even thought we did not configure the value of 3600, it is come by default. Anyway, we can change it. Check section 5.8 below for how to change it.
And with the following command on BORT01.
#sh crypto session
5.8 IPSec Security Lifetime and PFS (Optional)
IPSec security lifetime and PFS is optional. Without it the VPN tunnel still up and running. If it is required, the following are the commands to configure it.
On HOFW01
#crypto map HO-VPN 1 set security-association lifetime seconds 86400 #crypto map HO-VPN 1 set pfs
On BORT01
#crypto map BO-VPN 1 ipsec-isakmp set pfs group2 set security-association lifetime seconds 86400
5.9 IPSec VPN With Dynamic NAT on Cisco Router
Normal, Dynamic NAT is configured on Cisco router to provide internet access to all computers within Local Area Network (LAN).
#int f0/0 ip nat inside #int f0/1 ip nat outside #ip access-list extended ACL-DNAT permit ip 172.16.20.0 0.0.0.255 any #ip nat inside source list ACL-DNAT interface f0/1 overload
In this case, we need to configure router not to NAT the IPSec VPN traffic otherwise VPN tunnel would not be up. This could be done with the deny statement in top of the NAT ACL.
#ip access-list extended ACL-DNAT 9 deny ip host 172.16.20.10 host 10.10.10.10
6. Conclusion
Now you should be able to configure IPSec VPN site-to-site between Cisco ASA firewall appliance with IOS version 9.x with Cisco router. It would be great if you could practice with GNS3 MV to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
