Hey everyone I have a guide I created myself to establishing a site to site VPN tunnel between 2 Cisco ASA's
I have performed these steps on both sides but still cant get IPsec SAs to show
can someone let me know if anything from the guide is missing or incorrect
keep in mind im going for a basic IPSEC tunnel nothing fancy
Also could someone shed some light on a confusing topic when I am setting the tunnel group and peer IP im confused as to what im supposed to enter
when you get a static address from say comcast you get a peer IP and usable IP so lets says 1.1.1.2 is the usable and the peer IP is 1.1.1.1
but when setting peer IP in the configs im confused as to use the peer IP from the ISP 1.1.1.1 or the outside interface of your device 1.1.1.2?
let me know
*Keep in mind this is for a Cisco ASA 5505
Create 2 SVI’s one for inside and one for outside
GFirewall(config)# int vlan 77
GFirewall(config-if)#ip address 192.168.1.254 255.255.255.0
GFirewall(config-if)# nameif inside
GFirewall(config-if)# no shut
GFirewall(config-if)# interface ethernet 0/7
GFirewall(config-if)# switchport access vlan 77
GFirewall(config-if)# no shut
^ repeat this step for outside interface with new VLAN
Pick an interface (should be higher numbered interface for inside connection)
Ethernet 0/7
Set the route as the peered IP address (not usable)
GFirewall(config)# route outside 0.0.0.0 0.0.0.0 24.15.12.6
ACL ACE’s
access-list P2PACL line 60 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list P2PACL line (ACE) 60 extended permit ip (Source) 192.168.1.0 255.255.255. (destination) 10.0.0.0 255.0.0.0
add additional ACE’s for the public IP addresses
access-list P2PACL line 70 extended permit ip 25.25.25.25 255.255.255.252 64.64.64.64 255.255.255.252
Set IKE V1 phase 1
Create a policy
GFirewall(config)# crypto ikev1 policy 1
GFirewall(config-ikev1-policy)# authentication pre-share
GFirewall(config-ikev1-policy)# encryption aes-256
GFirewall(config-ikev1-policy)# group 2
GFirewall(config-ikev1-policy)# hash sha
GFirewall(config-ikev1-policy)# lifetime 86400 (*set lower to be more secure however uses more resources)
Enable IKE V1 on outside interface
GFirewall(config)# crypto ikev1 enable outside
Set IKE V1 Phase 2
GFirewall(config)# tunnel-group 1.1.1.1 type ipsec-l2l (* Use peer IP address (other ASA outside interface IP address) as tunnel group ID)
GFirewall(config)# tunnel-group 1.1.1.1 ipsec-attributes
GFirewall(config-tunnel-ipsec)# ikev1 pre-shared-key MGTech$upport (make sure there is no space at the end of the pre shared key)
Set the transform set
GFirewall(config)# crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set peer 1.1.1.1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL (* Create ACL with multiple ACE’s of subnets to Allow *Make sure you include nonat in front of extended ACL)
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP interface outside
I have performed these steps on both sides but still cant get IPsec SAs to show
can someone let me know if anything from the guide is missing or incorrect
keep in mind im going for a basic IPSEC tunnel nothing fancy
Also could someone shed some light on a confusing topic when I am setting the tunnel group and peer IP im confused as to what im supposed to enter
when you get a static address from say comcast you get a peer IP and usable IP so lets says 1.1.1.2 is the usable and the peer IP is 1.1.1.1
but when setting peer IP in the configs im confused as to use the peer IP from the ISP 1.1.1.1 or the outside interface of your device 1.1.1.2?
let me know
*Keep in mind this is for a Cisco ASA 5505
Create 2 SVI’s one for inside and one for outside
GFirewall(config)# int vlan 77
GFirewall(config-if)#ip address 192.168.1.254 255.255.255.0
GFirewall(config-if)# nameif inside
GFirewall(config-if)# no shut
GFirewall(config-if)# interface ethernet 0/7
GFirewall(config-if)# switchport access vlan 77
GFirewall(config-if)# no shut
^ repeat this step for outside interface with new VLAN
Pick an interface (should be higher numbered interface for inside connection)
Ethernet 0/7
Set the route as the peered IP address (not usable)
GFirewall(config)# route outside 0.0.0.0 0.0.0.0 24.15.12.6
ACL ACE’s
access-list P2PACL line 60 extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list P2PACL line (ACE) 60 extended permit ip (Source) 192.168.1.0 255.255.255. (destination) 10.0.0.0 255.0.0.0
add additional ACE’s for the public IP addresses
access-list P2PACL line 70 extended permit ip 25.25.25.25 255.255.255.252 64.64.64.64 255.255.255.252
Set IKE V1 phase 1
Create a policy
GFirewall(config)# crypto ikev1 policy 1
GFirewall(config-ikev1-policy)# authentication pre-share
GFirewall(config-ikev1-policy)# encryption aes-256
GFirewall(config-ikev1-policy)# group 2
GFirewall(config-ikev1-policy)# hash sha
GFirewall(config-ikev1-policy)# lifetime 86400 (*set lower to be more secure however uses more resources)
Enable IKE V1 on outside interface
GFirewall(config)# crypto ikev1 enable outside
Set IKE V1 Phase 2
GFirewall(config)# tunnel-group 1.1.1.1 type ipsec-l2l (* Use peer IP address (other ASA outside interface IP address) as tunnel group ID)
GFirewall(config)# tunnel-group 1.1.1.1 ipsec-attributes
GFirewall(config-tunnel-ipsec)# ikev1 pre-shared-key MGTech$upport (make sure there is no space at the end of the pre shared key)
Set the transform set
GFirewall(config)# crypto ipsec ikev1 transform-set GFIREWALLT1 esp-aes-256 esp-sha-hmac
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set peer 1.1.1.1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set ikev1 transform-set GFIREWALLT1
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 match address P2PACL (* Create ACL with multiple ACE’s of subnets to Allow *Make sure you include nonat in front of extended ACL)
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP 10 set security-association lifetime seconds 86400
GFirewall(config)# crypto map GFIREWALLCRYPTOMAP interface outside