fir3net
PPS-Firenetbanner-780.5x190-30-03-17

ASA - Site to Site VPN Example

In this article I will be showing you how to configure a Site 2 Site VPN on a ASA.
Also included within this example is a group-policy (named "GROUPPOLICY100") which we restrict access between the 2 endpoints to just tcp/80 traffic.

Please Note : This example presumes that you have already created the object groups for LOCAL-ENCDOM and REMOTE-ENCDOM.

Access-Lists

Add the ACLs which we will need to NAT, the encryption domain and the group policy.

access-list VPN-FILTER extended permit tcp object-group REMOTE-ENCDOM object-group LOCAL-ENCDOM eq 80
access-list VPN-FILTER extended deny ip any any
access-list ENCDOM100 permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM

Group Policy

Create your group policy which will restrict traffic between hosts within your encryption domain.

group-policy GROUPPOLICY100 internal
group-policy GROUPPOLICY100 attributes
 vpn-filter value VPN-FILTER

NAT

Add your No NAT for traffic within the encryption domain

nat (outside) 0 access-list ENCDOM100

Tunnel Group

Create your tunnel group which will include your pre-shared key.

tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
 default-group-policy GROUPPOLICY100
tunnel-group [Peer IP] ipsec-attributes
 pre-shared-key [pre-share key]

Phase 1

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption [?]
 hash [?]
 group [?]
 lifetime [secs]

Phase 2

crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside 100 match address ENCDOM100
crypto map outside 100 set transform-set [transform set]
crypto map outside 100 set peer [Peer IP]
crypto map outside 100 set security-association lifetime seconds [secs]

Misc

To ensure that any traffic that is passed through a VPN tunnel and decrypted will bypass interface access-lists the following sysopt command will be required. Please Note : Group policy and per-user authorization access lists still apply to the traffic.

sysopt connection permit-vpn

Note : If the traffic is going outbound (i.e is not coming out from the VPN tunnel but going into the tunnel) then you will need to add an access-list entry to permit the traffic.

Tags: ASA, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001