Cisco ASA: Site-to-Site VPN Configuration Example

With this article I want to show some basic configuration example on how to establish a site-to-site VPN using Cisco ASAs. Even though it is more comfortable to configure this kind of stuff using the ASDM GUI, i thought it was a pretty good exercise to try to setup everything on the console.

Goal

  • Monitoring asaSiteA via SNMP and ICMP Ping from hosts hostSiteB-SNMP and hostSiteB-Ping
  • Sending asaSiteA Syslogs to hostSiteB-Syslog
  • Relaying DNS queries sent to asaSiteA to hostSiteB-DNS
  • Allow access to a webservice hosted on hostSiteB-WWW from netSiteA
  • All traffic between netSiteA and netSiteB has to be tunneled

Network Diagram


 +-----------------------+          +---------------------------------+
 | netSiteA              |          | netSiteB                        |
 |-----------------------|          |---------------------------------|
 |             +--------+|          |+--------+     +----------------+|
 |             |asaSiteA|<---------->|asaSiteB+--+--+hostSiteB-SNMP  ||
 |             +--------+|          |+--------+  |  +----------------+|
 +-----------------------+          |            |--+hostSiteB-WWW   ||
                                    |            |  +----------------+|
 +---------------------------+      |            |--+hostSiteB-Syslog||
 | Network Entities          |      |            |  +----------------+|
 |---------------------------|      |            |--+hostSiteB-DNS   ||
 |netSiteA: 10.0.1.0/24      |      |            |  +----------------+|
 |netSiteB: 10.0.2.0/24      |      |            +--+hostSiteB-Ping  ||
 |                           |      |               +----------------+|
 |asaSiteA-int:  10.0.1.1    |      +---------------------------------+
 |asaSiteA-ext: 10.0.10.1    |
 |                           |
 |asaSiteB-int:  10.0.2.1    |
 |asaSiteB-ext: 10.0.20.1    |
 |                           |
 |hostSiteB-Syslog: 10.0.2.10|
 |hostSiteB-SNMP:   10.0.2.11|
 |hostSiteB-Ping:   10.0.2.12|
 |hostSiteB-DNS:    10.0.2.13|
 |hostSiteB-WWW:    10.0.2.14|
 +---------------------------+

Config of asaSiteA (only relevant parts)


! Object definitions
name asaSiteA-int 10.0.1.1
name asaSiteA-ext 10.0.10.1
name asaSiteB-ext 10.0.20.1

object network netSiteA
 subnet 10.0.1.0 255.255.255.0

object network netSiteB
 subnet 10.0.2.0 255.255.255.0

object network hostSiteB-Syslog
 host 10.0.2.10

object network hostSiteB-SNMP
 host 10.0.2.11

object network hostSiteB-Ping
 host 10.0.2.12

object network hostSiteB-DNS
 host 10.0.2.13

object network hostSiteB-WWW
 host 10.0.2.14

object service dns
 service udp destination eq domain
 description dns

! Interface settings
interface Ethernet0/0
 nameif int
 security-level 100
 ip address asaSiteA-int 255.255.255.0

interface Ethernet0/1
 nameif ext
 security-level 0
 ip address asaSiteA-ext 255.255.255.0

! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteA_to_netSiteB
access-list acl_crypt extended permit ip object netSiteA object netSiteB

! ACE for interface "ext"
access-list acl_ext_in remark Allow_ICMP_hostSiteB-Ping_to_netSiteA
access-list acl_ext_in extended permit icmp object hostSiteB-Ping object netSiteA log
access-list acl_ext_in remark Allow_SNMP_hostSiteB-SNMP_to_netSiteA
access-list acl_ext_in extended permit udp object hostSiteB-SNMP object netSiteA eq snmp log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log

! ACE for interface "int" -> allow all outbound IP traffic to netSiteB
access-list acl_int_in remark Allow_IP_netSiteA_to_netSiteB
access-list acl_int_in extended permit ip object netSiteA object netSiteB log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log

! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int

! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteB-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

! Setting up VPN tunnels
tunnel-group asaSiteB-ext type ipsec-l2l
tunnel-group asaSiteB-ext general-attributes
 default-group-policy Policy_L2L
tunnel-group asaSiteB-ext ipsec-attributes
 ikev1 pre-shared-key 1234

! Allow management access (i.e. SNMP) from interface int
management-access int

! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown

! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser

! Relay/NAT DNS queries against asaSiteA to hostSiteB-DNS
nat (int,ext) source static any any destination static interface hostSiteB-DNS service dns dns

Config of asaSiteB (only relevant parts)


! Object definitions
name asaSiteB-int 10.0.2.1
name asaSiteB-ext 10.0.20.1

object network netSiteA
 subnet 10.0.1.0 255.255.255.0

object network netSiteB
 subnet 10.0.2.0 255.255.255.0

object network hostSiteB-Syslog
 host 10.0.2.10

object network hostSiteB-SNMP
 host 10.0.2.11

object network hostSiteB-Ping
 host 10.0.2.12

object network hostSiteB-DNS
 host 10.0.2.13

object network hostSiteB-WWW
 host 10.0.2.14

! Interface settings
interface Ethernet0/0
 nameif int
 security-level 100
 ip address asaSiteB-int 255.255.255.0

interface Ethernet0/1
 nameif ext
 security-level 0
 ip address asaSiteB-ext 255.255.255.0

! Traffic that gets encrypted and sent through VPN
access-list acl_crypt remark Crypt_IP_netSiteB_to_netSiteA
access-list acl_crypt extended permit ip object netSiteB object netSiteA

! ACE for interface "ext"
access-list acl_ext_in remark Allow_Syslog_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-Syslog eq syslog log
access-list acl_ext_in remark Allow_SNMP_asaSiteA-int_to_hostSiteB-Syslog
access-list acl_ext_in extended permit udp object asaSiteA-int object hostSiteB-SNMP eq snmp log
access-list acl_ext_in remark Allow_DNS_netSiteA_to_hostSiteB-DNS
access-list acl_ext_in extended permit udp object netSiteA object hostSiteB-DNS eq dns log
access-list acl_ext_in remark Allow_WWW_netSiteA_to_hostSiteB-WWW
access-list acl_ext_in extended permit tcp object netSiteA object hostSiteB-WWW eq www log
access-list acl_ext_in remark Default_Deny
access-list acl_ext_in extended deny ip any any log

! ACE for interface "int" -> allow all outbound IP traffic to netSiteA
access-list acl_int_in remark Allow_IP_netSiteB_to_netSiteA
access-list acl_int_in extended permit ip object netSiteB object netSiteA log
access-list acl_int_in remark Default_Deny
access-list acl_int_in extended deny ip any any log

! Mapping ACEs to interfaces
access-group acl_ext_in in interface ext
access-group acl_int_in in interface int

! Setting up VPN parameters
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map ext_map 100 match address acl_crypt
crypto map ext_map 100 set pfs group5
crypto map ext_map 100 set peer asaSiteA-ext
crypto map ext_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map ext_map interface ext
crypto ikev1 enable ext
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

! Setting up VPN tunnels
tunnel-group asaSiteA-ext type ipsec-l2l
tunnel-group asaSiteA-ext general-attributes
 default-group-policy Policy_L2L
tunnel-group asaSiteA-ext ipsec-attributes
 ikev1 pre-shared-key 1234

! Allow management access (i.e. SNMP) from interface int
management-access int

! Enable syslog logging to SiteB
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm notifications
logging host int hostSiteB-Syslog
logging permit-hostdown

! Enable SNMP
snmp-server group authPriv v3 priv
snmp-server user snmpuser authPriv v3 encrypted auth md5 xxx priv des xxx
snmp-server host inside hostSiteB-SNMP poll version 3 snmpuser

Remarks
Unfortunately, I could not test this setup 1:1 but it was derived from an actually running configuration I recently had to setup. If you think, something seems wrong, please drop me a comment.

Further Reference
Cisco ASA Config Guide
asciiflow – an online tool to draw ASCII network plans