Simple ASA to IOS VPN

Occasionally you just need a cheat sheet to configure something up. This is meant to be exactly that, a quick configuration of lan to lan IPSec between an ASA and IOS based router.

Topology

Host (for testing)

! /// Host is simply here to emulate a
! /// client on one end of the network
!
hostname Host
!
interface GigabitEthernet0/1
 description to iosv-1
 ip address 192.168.1.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

iosv-1 (IOS IPSec Endpoint)

! /// iosv-1 is terminating one end of an IPSec Tunnel
!
hostname iosv-1
!
! /// phase 1 policy
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
! /// pre shared key
!
crypto isakmp key [email protected] address 3.3.3.4
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
 mode tunnel
!
crypto map mymap 10 ipsec-isakmp
 set peer 3.3.3.4
 set transform-set myset
 set reverse-route distance 10
 match address crypto
!
interface GigabitEthernet0/1
 description to Internet
 ip address 2.2.2.2 255.255.255.0
 !
 ! /// recommend to restrict inbound traffic
 ip access-group out-in in
 !
 ! /// probably a good idea to disable ip 
 ! /// unreachables on the outside interface
 no ip unreachables
 !
 ! /// if nat is needed
 ip nat outside
 crypto map mymap
!
interface GigabitEthernet0/2
 description to Host
 ip address 192.168.1.1 255.255.255.0
 !
 ! /// if nat is needed
 ip nat inside
!
! /// if nat is needed
ip nat inside source list nat interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 2.2.2.3
!
! /// crypto acl (which packets to encrypt/expect encrypted)
ip access-list extended crypto
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
! /// if nat is needed, crypto traffic will likely need to be excluded (deny)
ip access-list extended nat
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
!
! /// acl attached to Gig 0/1. In this case we are
! /// only allowing traffic from the other end of the tunnel
ip access-list extended out-in
 permit ip host 3.3.3.4 host 2.2.2.2
 deny   ip any any
!

Internet (sp emulation)

! /// emulating the SP
!
hostname Internet
!
interface GigabitEthernet0/1
description to iosv-1
ip address 2.2.2.3 255.255.255.0
!
interface GigabitEthernet0/2
description to asav-1
ip address 3.3.3.3 255.255.255.0
!

asav-1 (fw IPSec Termination)

hostname asav-1
!
interface GigabitEthernet0/0
 description to Internet
 nameif outside
 security-level 0
 ip address 3.3.3.4 255.255.255.0
!
interface GigabitEthernet0/1
 description to Server
 nameif inside
 security-level 0
 ip address 192.168.2.1 255.255.255.0
!
! /// objects to be used with NAT (and optionally crypto acl)
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
 subnet 192.168.2.0 255.255.255.0
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
!
! /// crypto ACL
access-list L2LAccessList extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
!
! /// nat exemption of encrypted traffic
nat (inside,any) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp
!
object network obj_any
 nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 3.3.3.3 1
!
! /// phase 2 transform
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
!
! /// crypto map attached to outside
crypto map mymap 10 match address L2LAccessList
crypto map mymap 10 set peer 2.2.2.2
crypto map mymap 10 set ikev1 transform-set myset
crypto map mymap 10 set reverse-route
crypto map mymap interface outside
!
! /// phase 1 configuration and policy
crypto ikev1 enable outside
!
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key [email protected]
!

Server (for testing)

! /// Testing Point
!
hostname Servers
!
!
interface GigabitEthernet0/1
 description to asav-1
 ip address 192.168.2.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.2.1

Conclusion

I included the IOS NAT configuration as a starting point for a situation where Internet was required at the remote site. In that case, the inbound acl will cause issues for returning traffic. This is something that is solved with CBAC. In short, this should be used as a template and modified to meet your organizations security and operational requirements.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

 

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

One Response to Simple ASA to IOS VPN

  1. Darko says:

    interface GigabitEthernet0/1
    description to Server
    nameif inside
    security-level 0 ! — Is this mistake, whether there should be security-level 100
    ip address 192.168.2.1 255.255.255.0
    If not why not?

    Thanks

Comments are closed.