Vous êtes sur la page 1sur 50

Configuring ASA Site-To-Site VPN

Contents
Purpose:................................................................................................2
Background:..........................................................................................2
Outside:................................................................................................................... 2
Inside:...................................................................................................................... 3
DMZ:........................................................................................................................ 3
VPN:......................................................................................................3
ASA VPN Types:......................................................................................3
Clientless VPN:........................................................................................................ 3
Any Connect VPN:................................................................................................... 4
Site-to-Site VPN:...................................................................................................... 4
There are two types of site-to-site VPNs:.............................................................4
ASDM:...................................................................................................4
Learning Objectives:...............................................................................5
Network Diagram:..................................................................................6
Lab:.......................................................................................................6
Task 1: Configure all other devices except the ASA.................................................6
PCs and servers:.................................................................................................. 6
ISP:....................................................................................................................... 6
R1:........................................................................................................................ 7
R2:........................................................................................................................ 7
Task 2: Create an MS Loopback interface................................................................8
Task 3: Add the ASA device to GNS3.......................................................................9
Local Site...............................................................................................9
Task 4: Install ASDM on the ASA device...................................................................9
Task 5: Configure the ASA using ASDM..................................................................11
Step 1: Basic configuration................................................................................ 11
Step 2: Create a global service policy.................................................................17
Step 3: Configure the dmz.................................................................................19
Step 4: Create an Access Rule............................................................................22
Task 6: Verifying the Local configuration...............................................................24

Remote Site.........................................................................................25
Task 7: Install ASDM on the ASA device.................................................................25
Task 8: Configure the ASA using ASDM..........................................................26
Step 1: Basic configuration...........................................................................26
Step 2: Create a global service policy.........................................................31
Task 9: Verifying the Remote configuration..................................................33
Configure the Site-To-Site VPN..............................................................33
Local site.............................................................................................34
Remote site.........................................................................................40
Verifying the VPN configuration............................................................47

Purpose:
The purpose of this lab is to provide a more advanced understanding of
Ciscos ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security
device that combines firewall, antivirus, intrusion prevention, and virtual
private network (VPN) capabilities. In this lab we will use GNS3 to learn how
to configure the ASA as a basic Firewall with the addition of a third zone
referred to as a DMZ and finally we will create a site-to-site VPN between the
sites. This knowledge is essential to passing the CCNP Security exam and will
be used in daily in your position as a Cisco network engineer.
Background:
In this lab we will be using GNS3 and ASDM to model a network with LOCAL
and REMOTE site. Each of these sites will have access to the internet. The
local site will also have a DMZ zone that can be access by any outside device
as well as inside devices, but will not be able to connect to any inside device.
In addition to this we will create a site-to-site VPN between the local site and
remote site. Before we continue with our lab lets take a look at some basic
interface being used in this lab.
Outside:
The outside interface is a public untrusted zone commonly used to connect
to public address within the internet. Devices within this zone cannot access
devices in the inside or DMZ without permission.
Inside:
The inside interface is a private trusted interface generally used for local
devices using a private address space. To access public address in the

outside the private address will need to be translated using NAT or PAT.
Device can access devices in the outside or DMZ unless restricted.
DMZ:
In computer security, a DMZ or demilitarized zone (sometimes referred to as
a perimeter network) is a physical or logical sub network that contains and
exposes an organization's external-facing services to a larger and untrusted
network, usually the Internet. The purpose of a DMZ is to add an additional
layer of security to an organization's local area network (LAN); an external
attacker only has direct access to equipment in the DMZ, rather than any
other part of the network.

VPN:
VPNs allow employees to securely access their company's intranet while
traveling outside the office. Similarly, VPNs securely connect geographically
separated offices of an organization, creating one cohesive network. VPN
technology is also used by individual Internet users to secure their wireless
transactions, to circumvent geo restrictions and censorship, and to connect
to proxy servers for the purpose of protecting personal identity and location.
ASA VPN Types:
There are basically three types of VPN available to the Cisco ASA product line
they are as follows:
Clientless VPN:
Clientless SSL VPN enables end users to securely access resources on the
corporate network from anywhere using an SSL-enabled Web browser. The
user first authenticates with a Clientless SSL VPN gateway, which then allows
the user to access pre-configured network resources.
Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA
using a Web browser without requiring a software or hardware client. It
provides secure and easy access to a broad range of Web resources and both
web-enabled and legacy applications from almost any device that can
connect to the Internet via HTTP. They include:

Internal websites.
Web-enabled applications.
NT/Active Directory file shares.
email proxies, including POP3S, IMAP4S, and SMTPS.
Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007.
Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.

Application Access (smart tunnel or port forwarding access to other


TCP-based applications)
Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor,
Transport Layer Security (SSL/TLS1) to provide the secure connection
between remote users and specific, supported internal resources that you
configure at an internal server. The ASA recognizes connections that must be
proxied, and the HTTP server interacts with the authentication subsystem to
authenticate users.
The network administrator provides access to resources by users of
Clientless SSL VPN sessions on a group basis. Users have no direct access to
resources on the internal network.
Any Connect VPN:
Cisco AnyConnect is an app designed to let you connect securely to VPNs.
This is an app for enterprise users who need a secure way to connect to a
VPN at their place of work. Coming from a trusted name like Cisco, the app
provides a level of safety and security that should be welcome by those who
have need of such an app.
Site-to-Site VPN:
A site-to-site VPN allows offices in multiple fixed locations to establish secure
connections with each other over a public network such as the Internet. Siteto-site VPN extends the company's network, making computer resources
from one location available to employees at other locations. An example of a
company that needs a site-to-site VPN is a growing corporation with dozens
of branch offices around the world.
There are two types of site-to-site VPNs:
Intranet-based -- If a company has one or more remote locations that
they wish to join in a single private network, they can create an
intranet VPN to connect each separate LAN to a single WAN.
Extranet-based -- When a company has a close relationship with
another company (such as a partner, supplier or customer), it can build
an extranet VPN that connects those companies' LANs. This extranet
VPN allows the companies to work together in a secure, shared
network environment while preventing access to their separate
intranets.
Even though the purpose of a site-to-site VPN is different from that of a
remote-access VPN, it could use some of the same software and equipment.
Ideally, though, a site-to-site VPN should eliminate the need for each
computer to run VPN client software as if it were on a remote-access VPN.
Dedicated VPN client equipment, described later in this article, can
accomplish this goal in a site-to-site VPN.

ASDM:
Ciscos ASDM is a simple, GUI-Based Firewall Appliance Management tool
that is user friendly and allows the user to configure, monitor, and
troubleshoot Cisco firewall appliances and firewall service modules. Ideal for
small or simple deployments, the Cisco Adaptive Security Device Manager
provides the following:

Setup wizards that help you configure and manage Cisco firewall
devices, including the Cisco ASA Adaptive Security Appliances, Cisco
PIX appliances, and Cisco Catalyst 6500 Series Firewall Services
Modules without cumbersome command-line scripts
Powerful real-time log viewer and monitoring dashboards that provides
an at-a-glance view of firewall appliance status and health
Handy troubleshooting features and powerful debugging tools such as
packet trace and packet capture.

Learning Objectives:
Add the ASA to GNS3.
Configure MS Loopback Interface.
Install and configure ASDM.
Use ASDM to configure the ASA.
Configure a DMZ
Configure a Site-to-Site VPN

Network Diagram:

Lab:
Task 1: Configure all other devices except the ASA.
In this part of or lab we will configure the routers, PCs and servers as shown
in the network diagram.
Note: In this lab routers are being used to simulate the devices INTERNET,
DMZ, and LOCAL servers and the REMOTE and LOCAL PCs.
PCs and servers:
1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE
and LOCAL PCs devices as shown in the network diagram.
2. Configure a default route on the above devices.
ISP:
1. Configure the ISP as follows:

ISP#config t
ISP(config)#interface FastEthernet0/0
ISP(config)# ip address 209.165.200.9 255.255.255.248
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/0
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#interface serial1/1
ISP(config)# ip address 10.1.1.2 255.255.255.252
ISP(config)#No Shutdown
ISP(config)#exit
!
ISP(config)#ip route 209.165.200.224 255.255.255.248
10.1.1.1
ISP(config)#ip route 209.165.200.232 255.255.255.248
10.2.2.1
ISP(config)#exit
ISP#wr
R1:
1. Configure R1 as follows:
R1#config t
R1(config)#interface FastEthernet0/0
R1(config)# ip address 209.165.200.226 255.255.255.248
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)#interface serial1/0
R1(config)# ip address 10.1.1.1 255.255.255.252
R1(config)#No Shutdown
R1(config)#exit
!
R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2
R1(config)#exit
R1#wr
R2:
1. Configure R2 as follows:
R2#config t
R2(config)#interface FastEthernet0/0

R2(config)# ip address 209.165.200.233 255.255.255.248


R2(config)#No Shutdown
R2(config)#exit
!
R2(config)#interface serial1/1
R2(config)# ip address 10.2.2.1 255.255.255.252
R2(config)#No Shutdown
R2(config)#exit
!
R2(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2
R2(config)#exit
R2#wr
Task 2: Create an MS Loopback interface.
Microsoft Loopback Adapter is a dummy network card, no hardware is
involved. It is used as a testing tool for a virtual network environment where
network access is not available. You can bind network clients, protocols, and
other network configuration items to the Loopback adapter.
1. In the host operating system, right-click My Computer, and then select
Properties. Depending on the style of the start menu, My Computer
may be located in the Start menu.
2. In the System Properties dialog box, on the Hardware tab, click Add
Hardware Wizard.
3. In the Add Hardware dialog box, click Next.
4. When the Is the hardware connected? dialog box appears, click Yes, I
have already connected the hardware, and then click Next.
5. In the Installed hardware list, click Add a new hardware device, and
then click Next.
6. In the What do you want the wizard to do? list, click Install the
hardware that I manually select from a list (Advanced), and then click
Next.
7. In the Common hardware types list, click Network adapters, and then
click Next.
8. In the Manufacturer list, click Microsoft.
9. In the Network Adapter list, click Microsoft Loopback Adapter, and then
click Next twice.
10.
If a message about driver signing appears, click Continue
Anyway.
11.
In the Completing the Add Hardware Wizard dialog box, click
Finish, and then click OK.
12.
Reboot the computer.
13.
On the host operating system, open Network Connections, rightclick the local area connection for Microsoft Loopback Adapter, and
then select Properties.

14.
In the Microsoft Loopback Adapter Properties dialog box, verify
that the Virtual Machine Network services check box is selected.
15.
Click Internet Protocol (TCP/IP), and then click Properties.
16.
On the General tab, click Use the following IP address, and then
type the IP address and subnet mask 192.168.2.10 and 255.255.255.0.
17.
Click OK, and then click Close.
Task 3: Add the ASA device to GNS3.
1. Copy the ASA842.zip Included with this lab.into the GNS3 Image
directory.
2. Unzip the ASA842.zip file.
3. Open Edit -> Preferences -> Qemu and click the ASA tab
4. Enter an Identifier name I used ASA-5520
5. Enter 1024 in RAM
6. Enter the following for Qemu Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7. Enter the paths where you placed the files from step 1 into the
designated boxes for Initrd and Kernel
8. Enter the following for Kernel cmd line:
-append ide_generic.probe_mask=001
ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600
bigphysarea=65536
9. Leave all other options at defaults
10.

Click the Save button then click OK.

11.

Copy the ASDM lab.zip file to the GNS3 project directory.

12.

Extract the ASDM lab.zip file.

13.

Open the lab topology.

14.
Once the ASA is up, enter enable and then enter one of the
following to activate features:

activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48


0x8b48b8b0 0xf317c0b5
activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c
0x0e24c6b6
Local Site.
Task 4: Install ASDM on the ASA device.
1. If you dont already have a TFTP server installed, then you can
download and install the Cisco TFTP server available with this lab.
2. In the ASA console enter the following:
ciscoasa # config t
ciscoasa(config)#hostname ASA1
ASA1 (config) # int gi 5
ASA1 (config) # ip address 192.168.2.1 255.255.255.0
ASA1 (config) # nameif management
ASA1 (config) # no shut
3. Ping the Windows loopback adapter from the ASA firewall to test
connectivity.
4. If you dont already have the ASDM, then download the ASDM647
included with this lab.
5. In the ASA console, copy the ASDM bin file to flash on the ASA:
ASA1# copy tftp flash
Address or name of remote host []? 192.168.2.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
6. Set the ASA to load the ASDM during the next boot
ASA1# config t
ASA1(config)#
ASA1(config)#
ASA1(config)#
management
ASA1(config)#

asdm image flash:asdm-647.bin


http server enable
http 192.168.2.10 255.255.255.255
username admin password cisco privilege 15

7. When the copy is complete save you configuration using the wr


command and then reload the firewall using 'reload' command.

Note: to complete the next step, you will need to disable or configure
your PC firewall. You may also need to disable popup in your browser
and in Java configuration. Lastly you may need to add
https://192.168.2.1 to the trusted site under the internet security
options. You may also need to install the certificate in your browser.
8. Open your browser and browse to https://192.168.2.1 and click the
Install ASDM Launcher button to download and install the ASDM app
from the ASA.
9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the
name admin and password cisco.

Task 5: Configure the ASA using ASDM.


Step 1: Basic configuration.
1. From the ASDM window select configuration.

2.
3.
4.
5.

Launch the startup wizard.


Select modify existing configuration and click next.
Hostname ASA1 Domain Name Local and click next.
Select enable interface and configure the interface with the following:
interface .GigabitEthernet0
interface name ..outside
security level.0
ip address209.165.200.226
subnet mask.255.255.255.248

6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface .GigabitEthernet1
interface name ..inside
security level.0
ip address192.168.20.1subnet mask.255.255.255.0

9. Click OK.
10.
11.
Highlight GigabitEthernet2 and click edit.
12.
Select enable interface and configure the interface with the
following:
interface .GigabitEthernet2
interface name ..dmz
security level.0
ip address172.16.1.1
subnet mask.255.255.255.0
13.
Click OK.

14.
15.

Click next.
Click Add and enter the following:

Interface.inside
Network..any
Gateway IP209.165.200.225
16.

Click OK

17.
Click next.
18.
Enable DHCP server on the inside interface.
19.
Enter the starting IP address 192.168.10.10 and an ending IP
address 192.168.10.100.

16.
17.

Click next.
Select use the IP address on GigabitEthernet0 interface.

17.
18.
19.
20.
21.

Click next.
Click next.
Click next
Select do not enable smart call home and click next.
Verify the configuration.

18.
19.

Click finish.
Select send.

Step 2: Create a global service policy.


1. From the configuration tab select Firewall.
2. Select Service Policy Rules.
3. Click the Add button and select Add Service Policy Rule.
4. Click Global and make the policy Name global-policy the click next.
5. Check the box labeled Default Inspection Traffic and click next.
6. Click next.
7. Check the following inspection rules

DNS
ESMIP
FTP
H.323 H.225
HTTP
ICMP
IP-OPTIONS
NETBIOS

8. Click finish.

9. Click Apply.

10.

Click send.

Step 3: Configure the dmz.


1. From the Firewall drop down select Network Object/Group.
2. Click Add and select Network Object.
3. In the Network Object window enter the following:
Name..inside-subnet
Type.Network
IP Address.192.168.1.0
Netmask.255.255.255.0
4.
5.
6.
7.
8.
9.

Click the NAT and select Add Automatic Address Translation Rule.
Select the Type of Dynamic
Select the Translation Address as outside
Click Advanced.
Select the Source Interface as inside and Destination Interface outside
click OK.

10.
11.
12.

From the Firewall drop down select Network Object/Group.


Click Add and select Network Object.
In the Network Object window enter the following:

Name..dmz-subnet
Type.Network
IP Address.172.16.1.0
Netmask.255.255.255.0
13.
Click the NAT and select Add Automatic Address Translation Rule.
14.
Select the Type of Dynamic
15.
Select the Translation Address as outside
16.
Click Advanced.
17.
Select the Source Interface as dmz and Destination Interface
outside

18.

19.
20.
21.

click OK.

Click OK.
Click Add and select Network Object.
In the Network Object window enter the following:

Name..dmz-host-ext
Type.host
IP Address.209.165.200.229
22.
23.
24.

Click OK
Click Add and select Network Object.
In the Network Object window enter the following:

Name..dmz-host-int
Type.host

IP Address.172.16.1.200
25.
Click the NAT and select Add Automatic Address Translation Rule.
26.
Select the Type of Static
27.
Select the Translation Address as dmz-host-ext
28.
Click Advanced.
29.
Select the Source Interface as dmz and Destination Interface
outside.
30.
Click OK
31.
Click OK
32.
Click Apply.

33.

Click Send.

Step 4: Create an Access Rule.


1. From the Firewall select Access Rules.
2. Highlight outside (0 implicit incoming rules).
3. Click Add and select Add Access Rule and enter the following\

Interface:

outside

Action:
Source:
Destination:
Services:
tcp/telnet

4. Click OK.

Permit
any
dmz-host-int
tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh,

5.
6.
7.
8.

Click Apply.
Click send.
From the menu bar click Save.
Click send.

Task 6: Verifying the Local configuration.


1. From LOCAL-PC Telnet the INTERNET server using the username admin
ad the password cisco.
2. Enter Exit.
3. From LOCAL-PC Telnet the DMZ server using the username admin ad
the password cisco.
4. Enter Exit.
5. From DMZ server Telnet the INTERNET server using the username
admin ad the password cisco.
6. Enter Exit.
7. Insure you cannot Telnet LOCAL-PC or server from DMZ.

Remote Site.
Task 7: Install ASDM on the ASA device.
1. If you dont already have a TFTP server installed, then you can
download and install the Cisco TFTP server available with this lab.
2. In the ASA console enter the following:
ciscoasa # config t
ciscoasa(config)#hostname ASA2
ASA2 (config) # int gi 5
ASA2 (config) # ip address 192.168.2.2 255.255.255.0
ASA2 (config) # nameif management
ASA2 (config) # no shut
3. Ping the Windows loopback adapter from the ASA firewall to test
connectivity.
4. If you dont already have the ASDM, then download the ASDM647
included with this lab.
5. In the ASA console, copy the ASDM bin file to flash on the ASA:
ASA2# copy tftp flash
Address or name of remote host []? 192.168.2.10
Source filename []? asdm-647.bin
Destination filename [asdm-647.bin]?
6. Set the ASA to load the ASDM during the next boot
ASA2# config t
ASA2(config)#
ASA2(config)#
ASA2(config)#
management
ASA2(config)#

asdm image flash:asdm-647.bin


http server enable
http 192.168.2.10 255.255.255.255
username admin password cisco privilege 15

7. When the copy is complete save you configuration using the wr


command and then reload the firewall using 'reload' command.
Note: to complete the next step, you will need to disable or configure
your PC firewall. You may also need to disable popup in your browser
and in Java configuration. Lastly you may need to add
https://192.168.2.2 to the trusted site under the internet security
options. You may also need to install the certificate in your browser.

8. Open your browser and browse to https://192.168.2.2 and click the


Install ASDM Launcher button to download and install the ASDM app
from the ASA.
9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the
name admin and password cisco.

Task 8: Configure the ASA using ASDM.


Step 1: Basic configuration.
1. From the ASDM window select configuration.

2.
3.
4.
5.

Launch the startup wizard.


Select modify existing configuration and click next.
Hostname ASA1 Domain Name Local and click next.
Select enable interface and configure the interface with the following:
interface .GigabitEthernet0
interface name ..outside
security level.0
ip address209.165.200.226
subnet mask.255.255.255.248

6. Click next.
7. Highlight GigabitEthernet1 and click edit.
8. Select enable interface and configure the interface with the following:
interface .GigabitEthernet1
interface name ..inside
security level.0
ip address192.168.20.1subnet mask.255.255.255.0
9. Click OK.

10.
11.

Click next.
Click Add and enter the following:

Interface.inside
Network..any
Gateway IP209.165.200.225
12.

Click OK

13.
Click next.
14.
Enable DHCP server on the inside interface.
15.
Enter the starting IP address 192.168.0.10 and an ending IP
address 192.168.10.100.

16.
17.
18.
19.
20.
21.
22.

Click next.
Select use the IP address on GigabitEthernet0 interface.
Click next.
Click next.
Click next
Select do not enable smart call home and click next.
Verify the configuration.

23.
24.

Click finish.
Select send.

Step 2: Create a global service policy.


1. From the configuration tab select Firewall.
2. Select Service Policy Rules.
3. Click the Add button and select Add Service Policy Rule.
4. Click Global and make the policy Name global-policy the click next.
5. Check the box labeled Default Inspection Traffic and click next.
6. Click next.
7. Check the following inspection rules

DNS
ESMIP
FTP
H.323 H.225
HTTP
ICMP
IP-OPTIONS
NETBIOS

8. Click finish.

9. Click Apply.

10.

Click send.

Task 9: Verifying the Remote configuration.


1. From REMOTE-PC Telnet the INTERNET server using the username
admin ad the password cisco.
2. Enter Exit.
3. From REMOTE-PC Telnet the DMZ server outside address
209.165.200.229 using the username admin ad the password cisco.
4. Enter Exit.
5. Insure you cannot Telnet the LOCAL-PC or server from REMOTE-PC.
Configure the Site-To-Site VPN
For this part of our lab we will be using ASDM to configure the Local and
Remote side of our Site-To-Site VPN.

Local site.
1. Open your browser and browse to https://192.168.2.1 and click the
Install ASDM Launcher button to download and install the ASDM app
from the ASA.
2. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the
name admin and password cisco.
3. From the menu bar select wizards.
4. From the dropdown select VPN Wizards and select Site-to-Site VPN
Wizard.

5. Click Next.
6. Enter the outside address of ASA2 as the Peer IP Address.
7. Insure the VPN Access Interface is outside.

8. Click Next.
9. We will be using IKE version 1 for this lab so uncheck IKE version 2

10.
11.
Local
12.
13.

Click next.
From the Local Network dropdown select the inside-subnet as the
Network.
Select the Remote Network dropdown.
Click add and select network object. And enter the following:

Name:
remote-subnet
Type:
Network.
IP Address:
192.168.20.0
NetMask: 255.255.255.0

13.
14.

Click OK
Select remote-subnet as the Remote Network.

15.
16.
17.
18.

Click Next.
Enter cisco as the Pre-shared key.
Click next.
Take the defaults for the IKE policy and IPsec Proposal.

19.
20.

Click Next.
Check the remaining 2 boxes.

21.

Click Next.

22.

Insure the configuration is ok and click Finish.

23.

Click send.

This completes the site-to-site VPN configuration on the Local site.


Remote site.
14.
Open your browser and browse to https://192.168.2.2 and click
the Install ASDM Launcher button to download and install the ASDM
app from the ASA.
15.
Once the Cisco ASDM-IDM Launcher has loaded, login to it with
the name admin and password cisco.
16.

From the menu bar select wizards.

17.
From the dropdown select VPN Wizards and select Site-to-Site
VPN Wizard.

18.

Click Next.

19.
20.

Enter the outside address of ASA1 as the Peer IP Address.


Insure the VPN Access Interface is outside.

21.
22.
2

Click Next.
We will be using IKE version 1 for this lab so uncheck IKE version

23.
24.
Local
25.
26.

Click next.
From the Local Network dropdown select the inside-subnet as the
Network.
Select the Remote Network dropdown.
Click add and select network object. And enter the following:

Name:
remote-subnet
Type:
Network.
IP Address:
192.168.10.0
NetMask: 255.255.255.0

24.
25.

Click OK
Select remote-subnet as the Remote Network.

26.
27.
28.
29.

Click Next.
Enter cisco as the Pre-shared key.
Click next.
Take the defaults for the IKE policy and IPsec Proposal.

30.
31.

Click Next.
Check the remaining 2 boxes.

32.

Click Next.

33.

Insure the configuration is ok and click Finish.

34.

Click send.

This completes the site-to-site VPN configuration on the Local site.


Verifying the VPN configuration
1. From the REMOTE-PC telnet the LOCAL server 192.168.10.200 using
the username admin and password cisco.
2. Type exit
3. From the REMOTE-PC telnet the INTERNET server 209.165.200.11 using
the username admin and password cisco.
4. Type exit
5. From the REMOTE-PC telnet the DMZ server 209.165.200.229 using the
username admin and password cisco.
6. Type exit
7. From the INTERNET Server insure you cannot access the inside of the
LOCAL or REMOTE site.
8. From the command prompt of ASA2 issue the following commands and
observer the outputs.
ASA2# sh crypto isakmp sa

IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 209.165.200.226
Type : L2L
Role : initiator
Rekey : no
State : MM_ACTIVE
There are no IKEv2 SAs
ASA2# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234
access-list outside_cryptomap extended permit ip 192.168.20.0
255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 209.165.200.226
#pkts
#pkts
#pkts
#pkts

encaps: 201, #pkts encrypt: 201, #pkts digest: 201


decaps: 151, #pkts decrypt: 151, #pkts verify: 151
compressed: 0, #pkts decompressed: 0
not compressed: 201, #pkts comp failed: 0, #pkts decomp failed:

0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.165.200.234/0, remote crypto endpt.:
209.165.200.226/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 36C6AFF0
current inbound spi : DCCD0B9F
inbound esp sas:
spi: 0xDCCD0B9F (3704425375)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373992/28356)
IV size: 16 bytes
replay detection support: Y

Anti replay bitmap:


0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x36C6AFF0 (918990832)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373991/28356)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA2# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f
access-list outside_cryptomap line 1 extended permit ip object inside-subnet
object remote-subnet (hitcnt=3) 0x6742cde6
access-list outside_cryptomap line 1 extended permit ip 192.168.20.0
255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=5) 0x6742cde6

ASA2# sh vpn-sessiondb
--------------------------------------------------------------------------VPN Session Summary
--------------------------------------------------------------------------Active : Cumulative : Peak Concur : Inactive
---------------------------------------------Site-to-Site VPN
:
1:
1:
1
IKEv1 IPsec
:
1:
1:
1
--------------------------------------------------------------------------Total Active and Inactive :
1
Total Cumulative :
1
Device Total VPN Capacity :
0
Device Load
:
0%
***!! WARNING: Platform capacity exceeded !!***
----------------------------------------------------------------------------------------------------------------------------------------------------Tunnels Summary
--------------------------------------------------------------------------Active : Cumulative : Peak Concurrent
---------------------------------------------IKEv1
:
1:
1:
1

IPsec
:
1:
1:
1
--------------------------------------------------------------------------Totals
:
2:
2
---------------------------------------------------------------------------