Site-to-Site VPN Configuration using ASDM

Site-to-site VPN (Virtual Private Networking) features provided by the adaptive security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites.

Figure 8-1 shows an example VPN tunnel between two adaptive security appliances.

Figure 8-1 Network Layout for Site-to-Site VPN Configuration Scenario

 

Creating a VPN site-to-site deployment such as the one in Figure 8-1 requires you to configure two adaptive security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

The following sections provide instructions for configuring the adaptive security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 8-1.

Information to Have Available

IP address of the remote adaptive security appliance peer

IP addresses of local hosts and networks to be allowed to use the tunnel to communicate with resources on the remote site

IP addresses of remote hosts and networks allowed to use the tunnel to communicate with local resources

Configuring the Site-to-Site VPN

ASDM provides a configuration wizard to guide you through the process of configuring a site-to-site VPN. Configuring one side of the VPN connection consists of the following steps:

1. Configure the Adaptive Security Appliance at the Local Site.

2. Provide Information About the VPN Peer.

3. Configure the IKE Policy.

4. Configure IPSec Encryption and Authentication Parameters.

5. Specify Local Hosts and Networks.

6. Specify Remote Hosts and Networks.

7. View VPN Attributes and Complete Wizard.

Configure the Adaptive Security Appliance at the Local Site

The adaptive security appliance at the first site is referred to as ASA 1 from this point forward.

To configure the local adaptive security appliance, perform the following steps:


Step 1 Launch ASDM by entering the factory default IP address in the address field of a web browser: https://192.168.1.1/admin/.

 

 

 

Step 2 In the main ASDM window, click the VPN Wizard option from the Wizards drop-down list. ASDM opens the first VPN Wizard screen.

In Step 1 of the VPN Wizard, perform the following steps:

a. Click the Site-to-Site VPN option.


Note The Site-to-Site VPN option connects two IPSec security gateways, which can include adaptive security appliances, VPN concentrators, or other devices that support site-to-site IPSec connectivity.


b. From the drop-down list, click outside as the enabled interface for the current VPN tunnel.

 

 

c. Click Next to continue.


Provide Information About the VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site. In this scenario, the remote VPN peer is ASA security appliance 2, from this point forward referred to as ASA 2.

In Step 2 of the VPN Wizard, perform the following steps:


Step 1 Enter the Peer IP Address (ASA 2) and a Tunnel Group Name.

Step 2 Specify the type of authentication that you want to use by performing one of the following steps:

To use a preshared key for authentication (for example, “CisCo”), click the Pre-Shared Key radio button, and enter a preshared key, which is shared for IPSec negotiations between both adaptive security appliances.


Note When you configure the ASA 2 at the remote site, the VPN peer is ASA 1. Be sure to enter the same preshared key (CisCo) that you use here.


To use digital certificates for authentication instead, click the Certificate radio button, and then choose a Trustpoint Name from the drop-down list.

 

 

Step 3 Click Next to continue.


Configure the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers.

In Step 3 of the VPN Wizard, perform the following steps:


Step 1 Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the adaptive security appliance during an IKE security association.

 

 


Note When configuring ASA 2, enter the exact values for each of the options that you chose for ASA 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.


Step 2 Click Next to continue.


Configure IPSec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:


Step 1 Click the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA).

 

 

Step 2 Click Next to continue.


Specify Local Hosts and Networks

Identify hosts and networks at the local site to be allowed to use this IPSec tunnel to communicate with the remote-site peers. (The remote-site peers will be specified in a later step.) Add or remove hosts and networks dynamically by clicking on Add or Delete respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by ASA 1 and transmitted through the VPN tunnel.

In Step 5 of the VPN Wizard, perform the following steps:


Step 1 Click IP Address.

Step 2 From the drop-down list, click an interface to specify whether the interface is inside or outside.

Step 3 Enter the IP address and mask.

Step 4 Click Add.

Step 5 Repeat Step 1 through Step 4 for each host or network that you want to have access to the tunnel.

 

 

 

Step 6 Click Next to continue.


Specify Remote Hosts and Networks

Identify hosts and networks at the remote site to be allowed to use this IPSec tunnel to communicate with the local hosts and networks you identified in Step 5. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In the current scenario, for ASA 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel.

In Step 6 of the VPN Wizard, perform the following steps:


Step 1 Click IP Address.

Step 2 From the Interface drop-down list, click an interface to specify whether the interface is inside or outside.

Step 3 Enter the IP address and mask.

Step 4 Click Add.

Step 5 Repeat Step 1 through Step 4 for each host or network that you want to have access to the tunnel.

 

 

Step 6 Click Next to continue.


View VPN Attributes and Complete Wizard

In Step 7 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the configuration changes to the adaptive security appliance.

 

 

This concludes the configuration process for ASA 1.

Configuring the Other Side of the VPN Connection

You have just configured the local adaptive security appliance. Now you need to configure the adaptive security appliance at the remote site.

At the remote site, configure the second adaptive security appliance to serve as a VPN peer. Use the procedure you used to configure the local adaptive security appliance, starting with “Configure the Adaptive Security Appliance at the Local Site” section and finishing with “View VPN Attributes and Complete Wizard” section.

 

Source : http://www.cisco.com/en/US/docs/security/asa/asa71/getting_started/asa5500/quick/guide/sitesite.html#wp1031481

1 Comment

  1. Laxmi Narayan Sahu said,

    May 22, 2012 at 4:40 pm

    VERY USEFULL ..

    THANKS A TON AND TON …

    FROM
    LAXMI NARAYAN SAHU


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: