Cisco Labs – Network Security (6) – Site to site VPN tunnel using pre-shared keys ASA,Router

NS2 – Modul4 4.5.5b ASA – IOS task definition

Site to site VPN tunnel using pre-shared keys ASA,Router


  • Site to site VPN tunnel using pre-share keys will be inicialized.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Static routes or rip routing protocol.
  • This task demonstrates ASA to IOS tunneling.
  • Clear and reinitialize VPN tunnel.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

3 hours

Theoretical background

Here will be short theoretical background for solving this task.





ifconfig INT7 netmask
route add default gw dev INT7


ifconfig INT8 netmask
route add default gw dev INT8

Asa1, Router2, Router3

1) interface settings + static routes + NAT:

ASA1(config)#domain-name test									;set domain name
ASA1(config)#interface INT1									;on interface set following
ASA1(conf-if)#switchport mode access								;set port on a switch to access mode
ASA1(conf-if)#switchport access vlan 10								;access to vlan 10
ASA1(conf-if)#no shutdown									;turn on switchport
ASA1(config)#interface vlan 10									;on vlan interface set following
ASA1(conf-if)#ip address						;set ip address and mask
ASA1(conf-if)#nameif inside									;name interface and security level will be set by default
ASA1(conf-if)#no shutdown

ASA1(config)#interface INT2									;on interface set following
ASA1(conf-if)#switchport mode access
ASA1(conf-if)#switchport access vlan 20
ASA1(conf-if)#no shutdown
ASA1(config)#interface vlan 20
ASA1(conf-if)#ip address
ASA1(conf-if)#nameif outside
ASA1(conf-if)#no shutdown
ASA1(config)#access-list CRYPTOACL permit ip	;access list to define which traffic will be encrypted
ASA1(config)#access-list outsidein permit icmp any host				;access list to permit icmp traffic for test reasons
ASA1(config)#access-group outsidein in interface outside					;apply access list to an interface
ASA1(config)#route outside					;static route instead of dynamic routing protocols
ASA1(config)#route outside		

ASA1(config)#nat (inside) 1 0 0									;nat all traffic
ASA1(config)#global (outside) 1 interface							;and using PAT

ASA1(config)#nat (inside) 0 access-list CRYPTOACL						;do not translate ip addresses for traffic to be encrypted
Router2(config)#interface INT3
Router2(conf-if)#ip address
Router2(conf-if)#no shutdown
Router2(config)#interface INT4
Router2(conf-if)#ip address
Router2(conf-if)#no shutdown
Router2(config)#ip route
Router2(config)#ip route
Router3(config)#interface INT5
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown
Router3(config)#interface INT6
Router3(conf-if)#ip address
Router3(conf-if)#no shutdown
Router3(config)#ip route
Router3(config)#ip route

2a) VPN tunnel settings phase 1 IKE/ISAKMP:

Policy must be the same on both ends of tunnel (priority could be different)

ASA1(config)#sysopt connection permit-vpn 							;permit ipsec and isakmp traffic in system. Otherwise access list must be defined
ASA1(config)#isakmp policy 10 									;set up policy section
ASA1(isakmp)#authentication pre-share 								;authenticated using pre-shared keys
ASA1(isakmp)#group 2										;Diffie-Hellman group 2
ASA1(isakmp)#hash sha										;hashing type
ASA1(isakmp)#encryption 3des									;encryption algorithm
Router2(config)#crypto isakmp policy 10
Router2(isakmp)#encryption 3des 
Router2(isakmp)#hash sha 
Router2(isakmp)#group 2
Router2(isakmp)#authentication pre-share 
Router2(isakmp)#lifetime 200

2b) VPN tunnel settings phase 2 IPSEC:

ASA1(config)#isakmp identity address								;to send phase 2 id to the peer
ASA1(config)#tunnel-group type ipsec-l2l 						;set peer address and tunnel type (use ? to get more options)
ASA1(config)#tunnel-group ipsec-attributes 						;set tunneling protocol attributes
ASA1(config)#pre-shared-key Cisco								;define pre-shared key
ASA1(config)#isakmp enable outside								;enable isakmp on outside interface

ASA1(config)#crypto ipsec transform-set TRSETASA1 esp-md5-hmac esp-des				;Define a transform set - acceptable combination of security protocols and algorithms
ASA1(config)#crypto map CRMAPASA1 10 match address CRYPTOACL					;define local policy, used within crypto map, which we defined
ASA1(config)#crypto map CRMAPASA1 10 set peer					;remote peer setting
ASA1(config)#crypto map CRMAPASA1 10 set transform-set TRSETASA1				;apply transform set in a map section
ASA1(config)#crypto map CRMAPASA1 interface outside						;apply crypto map on interface 

Apply analogical settings to other side of the tunnel.

Router2(config)#crypto ipsec transform-set TRSETR2 esp-md5-hmac esp-des
Router2(config)#access-list 122 permit ip
Router2(config)#crypto isakmp key Cisco address
Router2(config)#crypto map LOKALNIMAPAR2 10 ipsec-isakmp 
Router2(cr-m)#set peer
Router2(cr-m)#match address 122
Router2(cr-m)#set transform-set TRSETR2
Router2(config)#interface INT3
Router2(conf-if)# crypto map LOKALNIMAPAR2

3) Access list on Router3 to enable only needed traffic:

Router3(config)#access-list 101 permit esp host host			;enable tunnel inicialisation thru ESP
Router3(config)#access-list 101 permit udp host host eq isakmp		;enable tunnel traffic thru UDP
Router3(config)#interface INT5			
Router3(conf-if)#ip access-group 101 in								;apply access list to an interface

Function test

F1) check IKE/IPSEC ASA configuration

Diagnose of this task is already performed during exercises 4.4.7 and 4.5.5a. Please use same one.

ASA1#sh crypto isakmp sa 									;display first part of tunnel configuration. 
ASA1#sh crypto ipsec sa										;display send/receive packet statistics

Ping from LAN 1 to LAN 2 should inicialize VPN tunnel and hosts on LAN2 should be accessible.

F2) clear tunnels

ASA1#clear crypto isakmp sa  									;clear tunnel inicialisation configuration
ASA1#clear crypto ipsec sa									;clear existing tunnels

Optional tasks

  • Define more transform sets to be able to select which could be fit to the other site of the tunnel.
  • Define different encryption and hashing algorithms – see point 2a.
  • Add one more router(asa) to topology and create another tunnel to this router(asa).

Two or more tunnels to different locations and peers:

This will be accomplished by adding:

  • New policy section with definition of needed settings.
  • New access list.
  • New or existing transform set must be added to new crypto map.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s