In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.
Also included within this example is a group-policy (named “GROUPPOLICY100”) which we restrict access between the 2 endpoints to just tcp/80 traffic.
Please Note : This example presumes that you have already created the object groups for LOCAL-ENCDOM and REMOTE-ENCDOM.
Access-Lists
Add the ACLs which we will need to NAT, the encryption domain and the group policy.
access-list VPN-FILTER extended permit tcp object-group REMOTE-ENCDOM object-group LOCAL-ENCDOM eq 80
access-list VPN-FILTER extended deny ip any any
access-list ENCDOM100 permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM
Group Policy
Create your group policy which will restrict traffic between hosts within your encryption domain.
group-policy GROUPPOLICY100 internal
group-policy GROUPPOLICY100 attributes
vpn-filter value VPN-FILTER
NAT
Add your No NAT for traffic within the encryption domain
nat (outside) 0 access-list ENCDOM100
Tunnel Group
Create your tunnel group which will include your pre-shared key.
tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
default-group-policy GROUPPOLICY100
tunnel-group [Peer IP] ipsec-attributes
pre-shared-key [pre-share key]
Phase 1
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption [?]
hash [?]
group [?]
lifetime [secs]
Phase 2
crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set transform-set [transform set]
crypto map outside 100 set peer [Peer IP]
crypto map outside 100 set security-association lifetime seconds [secs]
Misc
To ensure that any traffic that is passed through a VPN tunnel and decrypted will bypass interface access-lists the following sysopt command will be required. Please Note : Group policy and per-user authorization access lists still apply to the traffic.
sysopt connection permit-vpn
Note : If the traffic is going outbound (i.e is not coming out from the VPN tunnel but going into the tunnel) then you will need to add an access-list entry to permit the traffic.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial