How to configure site-to-site VPN tunnel

using ASA?
Site-to-Site secure VPN tunnel using the ASA (Adaptive Security Appliances) enables an encrypted connection
between private networks over a public network such as the internet.

Basic steps for VPN Configuration:

1- First define the ISAKMP Policy.

For example:

Authentication
Hash
Encryption
Group

2- Establish IPsec transform set.

For example:

Esp-des
Esp-md5-hmac
Esp-aes
Asp-sha-hmac

3- Configure crypto access list.

For example: Define interesting traffics

4- Configure crypto map

Used to verify the previously defined parameters

5- Now apply crypto map on the outside interface.

Used to verify the outgoing interface traffic

Configuration of ASA on side A

First defined the IKE polices on ASA-A

ASA-A(config)#crypto isakmp policy 10 (10 is isakmp policy number)

ASA-A(config-isakmp)#encryption des (enable encryption des)

ASA-A(config-isakmp)#hash md5 (enable algorithm md5 for hashing)

ASA-A(config-isakmp)#authentication pre-share (enable Pre-shared method)

ASA-A(config-isakmp)#group 2 (enable diffie-Helman group 2)

ASA-A(config-isakmp)#exit (Exit from crypto isakmp mode)

The next step is to create a pre-shared key (password) on ASA - A.

ASA-A(config)#crypto isakmp key office address 20.1.1.20 (Here Key is "office" and 20.1.1.20 is ASA - B
Address)

Now create an access list to define only interesting traffic.

ASA-A(config)#access-list 100 permit ip host 20.1.1.10 host 20.1.1.20 (100 is access list number and 20.1.1.10
is source address and 20.1.1.20 is destination address.)

Now create the transform-set for encryption and hashing.

ASA-A(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac (Here encryption type is des and hashing
technique is md5-hmac)

ASA-A(config)#crypto map imap 10 ipsec-isakmp (crypto map name imap)

ASA-A(config)# crypto map imap 10 match address 100 (apply the access list)

ASA-A(config)# crypto map imap 10 set transform-set ts2 (apply the transform set)

ASA-A(config)# crypto map imap 10 set peer 20.1.1.20 (Set remote peer address)

Now apply the crypto map to the ASA - A interface

ASA-A(config)# crypto map imap interface outside (Apply crypto map on outside interface)

ASA-A(config)# crypto isakmp enable outside (To enable crypto isakmp on ASA)
Configuration of ASA on side B

First defined the IKE polices on ASA-B

ASA-B(config)#crypto isakmp policy 10 (10 is isakmp policy number)

ASA-B(config-isakmp)#encryption des (enable encryption des)

ASA-B(config-isakmp)#hash md5 (enable algorithm md5 for hashing)

ASA-B(config-isakmp)#authentication pre-share (enable Pre-shared method)

ASA-B(config-isakmp)#group 2 (enable diffie-Helman group 2)

ASA-B(config-isakmp)#exit (Exit from crypto isakmp mode)

The next step is to create a pre-shared key (password) on ASA - B.

ASA-B(config)#crypto isakmp key office address 20.1.1.10 (Here Key is "office" and 20.1.1.10 is ASA - A
Address)

Now create an access list to define only interesting traffic.

ASA-B(config)#access-list 100 permit ip host 20.1.1.20 host 20.1.1.10 (100 is access list number and 20.1.1.20
is source address and 20.1.1.10 is destination address.)

Now create the transform-set for encryption and hashing.

ASA-B(config)#crypto ipsec transform-set ts2 esp-des esp-md5-hmac (Here encryption type is des and hashing
technique is md5-hmac)

ASA-B(config)#crypto map imap 10 ipsec-isakmp (crypto map name imap)

ASA-B(config)# crypto map imap 10 match address 100 (apply the access list)

ASA-B(config)# crypto map imap 10 set transform-set ts2 (apply the transform set)

ASA-B(config)# crypto map imap 10 set peer 20.1.1.10 (Set remote peer address)

Now apply the crypto map to the ASA - B outside interface

ASA-B(config)# crypto map imap interface outside (Apply crypto map on outside interface)

ASA-B(config)# crypto isakmp enable outside (To enable crypto isakmp on ASA)

Now to verify the secure tunnel, ping to other remote location.

ASA-B(config)# ping 20.1.1.10