configuring asa site to-site vp ns

Configuring ASA Site-To-Site VPN

Contents

Purpose: ............................................................................................................................................2

Background: ......................................................................................................................................2

Outside: ..................................................................................................................................................... 2

Inside: ........................................................................................................................................................ 3

DMZ: .......................................................................................................................................................... 3

VPN: ..................................................................................................................................................3

ASA VPN Types: .................................................................................................................................3

Clientless VPN: .......................................................................................................................................... 3

Any Connect VPN: ..................................................................................................................................... 4

Site-to-Site VPN: ........................................................................................................................................ 4

There are two types of site-to-site VPNs: ............................................................................................. 4

ASDM: ...............................................................................................................................................4

Learning Objectives: ...........................................................................................................................5

Network Diagram:..............................................................................................................................6

Lab: ...................................................................................................................................................6

Task 1: Configure all other devices except the ASA. ................................................................................. 6

PC’s and servers: ................................................................................................................................... 6

ISP:......................................................................................................................................................... 6

R1: ......................................................................................................................................................... 7

R2: ......................................................................................................................................................... 7

Task 2: Create an MS Loopback interface. ................................................................................................ 8

Task 3: Add the ASA device to GNS3. ........................................................................................................ 9

Local Site. ..........................................................................................................................................9

Task 4: Install ASDM on the ASA device. ................................................................................................... 9

Task 5: Configure the ASA using ASDM................................................................................................... 11

Step 1: Basic configuration. ................................................................................................................ 11

Step 2: Create a global service policy. ................................................................................................ 17

Step 3: Configure the dmz. ................................................................................................................. 19

Step 4: Create an Access Rule. ............................................................................................................ 22

Task 6: Verifying the Local configuration. ............................................................................................... 24

Remote Site. .................................................................................................................................... 25

Task 7: Install ASDM on the ASA device. ................................................................................................. 25

Task 8: Configure the ASA using ASDM. ................................................................................................ 26

Step 1: Basic configuration................................................................................................................. 26

Step 2: Create a global service policy. ............................................................................................... 31

Task 9: Verifying the Remote configuration. ......................................................................................... 33

Configure the Site-To-Site VPN ......................................................................................................... 33

Local site. ........................................................................................................................................ 34

Remote site. .................................................................................................................................... 40

Verifying the VPN configuration ....................................................................................................... 47

Purpose:

The purpose of this lab is to provide a more advanced understanding of Cisco’s ASA 5520 Adaptive Security Appliance; The Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. In this lab we will use GNS3 to learn how to configure the ASA as a basic Firewall with the addition of a third zone referred to as a DMZ and finally we will create a site-to-site VPN between the sites. This knowledge is essential to passing the CCNP Security exam and will be used in daily in your position as a Cisco network engineer.

Background:

In this lab we will be using GNS3 and ASDM to model a network with LOCAL and REMOTE site.

Each of these sites will have access to the internet. The local site will also have a DMZ zone that

can be access by any outside device as well as inside devices, but will not be able to connect to

any inside device. In addition to this we will create a site-to-site VPN between the local site and

remote site. Before we continue with our lab let’s take a look at some basic interface being

used in this lab.

Outside:

The outside interface is a public untrusted zone commonly used to connect to public address within the internet. Devices within this zone cannot access devices in the inside or DMZ without permission.

Inside:

The inside interface is a private trusted interface generally used for local devices using a private address space. To access public address in the outside the private address will need to be translated using NAT or PAT. Device can access devices in the outside or DMZ unless restricted.

DMZ:

In computer security, a DMZ or demilitarized zone (sometimes referred to as a perimeter network) is a physical or logical sub network that contains and exposes an organization's external-facing services to a larger and untrusted network, usually the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has direct access to equipment in the DMZ, rather than any other part of the network.

VPN:

VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.

ASA VPN Types:

There are basically three types of VPN available to the Cisco ASA product line they are as follows:

Clientless VPN:

Clientless SSL VPN enables end users to securely access resources on the corporate network from anywhere using an SSL-enabled Web browser. The user first authenticates with a Clientless SSL VPN gateway, which then allows the user to access pre-configured network resources. Clientless SSL VPN creates a secure, remote-access VPN tunnel to an ASA using a Web browser without requiring a software or hardware client. It provides secure and easy access to a broad range of Web resources and both web-enabled and legacy applications from almost any device that can connect to the Internet via HTTP. They include:

• Internal websites. • Web-enabled applications. • NT/Active Directory file shares. • email proxies, including POP3S, IMAP4S, and SMTPS. • Microsoft Outlook Web Access Exchange Server 2000, 2003, and 2007. • Microsoft Web App to Exchange Server 2010 in 8.4(2) and later.

• Application Access (smart tunnel or port forwarding access to other TCP-based applications)

Clientless SSL VPN uses Secure Sockets Layer Protocol and its successor, Transport Layer Security (SSL/TLS1) to provide the secure connection between remote users and specific, supported internal resources that you configure at an internal server. The ASA recognizes connections that must be proxied, and the HTTP server interacts with the authentication subsystem to authenticate users. The network administrator provides access to resources by users of Clientless SSL VPN sessions on a group basis. Users have no direct access to resources on the internal network.

Any Connect VPN:

Cisco AnyConnect is an app designed to let you connect securely to VPNs. This is an app for enterprise users who need a secure way to connect to a VPN at their place of work. Coming from a trusted name like Cisco, the app provides a level of safety and security that should be welcome by those who have need of such an app.

Site-to-Site VPN:

A site-to-site VPN allows offices in multiple fixed locations to establish secure connections with each other over a public network such as the Internet. Site-to-site VPN extends the company's network, making computer resources from one location available to employees at other locations. An example of a company that needs a site-to-site VPN is a growing corporation with dozens of branch offices around the world.

There are two types of site-to-site VPNs:

• Intranet-based -- If a company has one or more remote locations that they wish to join in a single private network, they can create an intranet VPN to connect each separate LAN to a single WAN.

• Extranet-based -- When a company has a close relationship with another company (such as a partner, supplier or customer), it can build an extranet VPN that connects those companies' LANs. This extranet VPN allows the companies to work together in a secure, shared network environment while preventing access to their separate intranets.

Even though the purpose of a site-to-site VPN is different from that of a remote-access VPN, it could use some of the same software and equipment. Ideally, though, a site-to-site VPN should eliminate the need for each computer to run VPN client software as if it were on a remote-access VPN. Dedicated VPN client equipment, described later in this article, can accomplish this goal in a site-to-site VPN.

ASDM:

Cisco’s ASDM is a simple, GUI-Based Firewall Appliance Management tool that is user friendly and allows the user to configure, monitor, and troubleshoot Cisco firewall appliances and

firewall service modules. Ideal for small or simple deployments, the Cisco Adaptive Security Device Manager provides the following:

Setup wizards that help you configure and manage Cisco firewall devices, including the Cisco ASA Adaptive Security Appliances, Cisco PIX appliances, and Cisco Catalyst 6500 Series Firewall Services Modules without cumbersome command-line scripts

Powerful real-time log viewer and monitoring dashboards that provides an at-a-glance view of firewall appliance status and health

Handy troubleshooting features and powerful debugging tools such as packet trace and packet capture.

Learning Objectives:

Add the ASA to GNS3.

Configure MS Loopback Interface.

Install and configure ASDM.

Use ASDM to configure the ASA.

Configure a DMZ

Configure a Site-to-Site VPN

Network Diagram:

Lab:

Task 1: Configure all other devices except the ASA.

In this part of or lab we will configure the routers, PCs and servers as shown in the network

diagram.

Note: In this lab routers are being used to simulate the devices INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs.

PC’s and servers:

1. Configure the INTERNET, DMZ, and LOCAL servers and the REMOTE and LOCAL PCs devices as shown in the network diagram.

2. Configure a default route on the above devices.

ISP:

1. Configure the ISP as follows:

ISP#config t ISP(config)#interface FastEthernet0/0 ISP(config)# ip address 209.165.200.9 255.255.255.248 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/0 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#interface serial1/1 ISP(config)# ip address 10.1.1.2 255.255.255.252 ISP(config)#No Shutdown ISP(config)#exit ! ISP(config)#ip route 209.165.200.224 255.255.255.248 10.1.1.1 ISP(config)#ip route 209.165.200.232 255.255.255.248 10.2.2.1 ISP(config)#exit ISP#wr

R1:

1. Configure R1 as follows: R1#config t R1(config)#interface FastEthernet0/0 R1(config)# ip address 209.165.200.226 255.255.255.248 R1(config)#No Shutdown R1(config)#exit ! R1(config)#interface serial1/0 R1(config)# ip address 10.1.1.1 255.255.255.252 R1(config)#No Shutdown R1(config)#exit ! R1(config)# ip route 0.0.0.0 0.0.0.0 10.1.1.2 R1(config)#exit R1#wr

R2:

1. Configure R2 as follows:

R2#config t R2(config)#interface FastEthernet0/0

R2(config)# ip address 209.165.200.233 255.255.255.248 R2(config)#No Shutdown R2(config)#exit ! R2(config)#interface serial1/1 R2(config)# ip address 10.2.2.1 255.255.255.252 R2(config)#No Shutdown R2(config)#exit ! R2(config)# ip route 0.0.0.0 0.0.0.0 10.2.2.2 R2(config)#exit R2#wr

Task 2: Create an MS Loopback interface.

Microsoft Loopback Adapter is a dummy network card, no hardware is involved. It is used as a

testing tool for a virtual network environment where network access is not available. You can

bind network clients, protocols, and other network configuration items to the Loopback

adapter.

1. In the host operating system, right-click My Computer, and then select Properties. Depending on the style of the start menu, My Computer may be located in the Start menu.

2. In the System Properties dialog box, on the Hardware tab, click Add Hardware Wizard. 3. In the Add Hardware dialog box, click Next. 4. When the Is the hardware connected? dialog box appears, click Yes, I have already

connected the hardware, and then click Next. 5. In the Installed hardware list, click Add a new hardware device, and then click Next. 6. In the What do you want the wizard to do? list, click Install the hardware that I manually

select from a list (Advanced), and then click Next. 7. In the Common hardware types list, click Network adapters, and then click Next. 8. In the Manufacturer list, click Microsoft. 9. In the Network Adapter list, click Microsoft Loopback Adapter, and then click Next twice. 10. If a message about driver signing appears, click Continue Anyway. 11. In the Completing the Add Hardware Wizard dialog box, click Finish, and then click OK. 12. Reboot the computer. 13. On the host operating system, open Network Connections, right-click the local area

connection for Microsoft Loopback Adapter, and then select Properties. 14. In the Microsoft Loopback Adapter Properties dialog box, verify that the Virtual Machine

Network services check box is selected. 15. Click Internet Protocol (TCP/IP), and then click Properties. 16. On the General tab, click Use the following IP address, and then type the IP address and

subnet mask 192.168.2.10 and 255.255.255.0. 17. Click OK, and then click Close.

Task 3: Add the ASA device to GNS3.

1. Copy the ASA842.zip Included with this lab.into the GNS3 Image directory. 2. Unzip the ASA842.zip file. 3. Open Edit -> Preferences -> Qemu and click the ASA tab 4. Enter an Identifier name – I used “ASA-5520″ 5. Enter 1024 in RAM 6. Enter the following for Qemu Options:

-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32

7. Enter the paths where you placed the files from step 1 into the designated boxes for Initrd and Kernel

8. Enter the following for Kernel cmd line:

-append ide_generic.probe_mask=0×01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

9. Leave all other options at defaults 10. Click the Save button then click OK. 11. Copy the ASDM lab.zip file to the GNS3 project directory. 12. Extract the ASDM lab.zip file. 13. Open the lab topology. 14. Once the ASA is up, enter enable and then enter one of the following to activate

features:

activation-key 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5

activation-key 0xb23bcf4a 0x1c713b4f 0x7d53bcbc 0xc4f8d09c 0x0e24c6b6

Local Site.

Task 4: Install ASDM on the ASA device.

1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab.

2. In the ASA console enter the following:

ciscoasa # config t ciscoasa(config)#hostname ASA1 ASA1 (config) # int gi 5 ASA1 (config) # ip address 192.168.2.1 255.255.255.0

ASA1 (config) # nameif management ASA1 (config) # no shut

3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this

lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA:

ASA1# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]?

6. Set the ASA to load the ASDM during the next boot

ASA1# config t ASA1(config)# asdm image flash:asdm-647.bin ASA1(config)# http server enable ASA1(config)# http 192.168.2.10 255.255.255.255 management ASA1(config)# username admin password cisco privilege 15

7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command.

Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.1 to the trusted site under the internet security options. You may also need to install the certificate in your browser.

8. Open your browser and browse to https://192.168.2.1 and click the Install ASDM Launcher button to download and install the ASDM app from the ASA.

9. Once the Cisco ASDM-IDM Launcher has loaded, login to it with the name admin and password cisco.

Task 5: Configure the ASA using ASDM.

Step 1: Basic configuration.

1. From the ASDM window select configuration.

2. Launch the startup wizard.

3. Select modify existing configuration and click next.

4. Hostname ASA1 Domain Name Local and click next.

5. Select enable interface and configure the interface with the following:

interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248

6. Click next.

7. Highlight GigabitEthernet1 and click edit.


interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0

9. Click OK. 10.



interface ………….GigabitEthernet2 interface name ..dmz security level…….0 ip address…………172.16.1.1 subnet mask…….255.255.255.0

13. Click OK.

14. Click next. 15. Click Add and enter the following:

Interface…….inside Network……..any Gateway IP…209.165.200.225

16. Click OK

17. Click next. 18. Enable DHCP server on the inside interface.

19. Enter the starting IP address 192.168.10.10 and an ending IP address 192.168.10.100.

16. Click next. 17. Select use the IP address on GigabitEthernet0 interface.

17. Click next. 18. Click next. 19. Click next 20. Select do not enable smart call home and click next. 21. Verify the configuration.

18. Click finish. 19. Select send.

Step 2: Create a global service policy.

1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules

DNS

ESMIP

FTP

H.323 H.225

HTTP

ICMP

IP-OPTIONS

NETBIOS

8. Click finish.

9. Click Apply.

10. Click send.

Step 3: Configure the dmz.

1. From the Firewall drop down select Network Object/Group.

2. Click Add and select Network Object.

3. In the Network Object window enter the following:

Name……………..inside-subnet

Type……………….Network

IP Address…….192.168.1.0 Netmask……….255.255.255.0

4. Click the NAT and select Add Automatic Address Translation Rule. 5. Select the Type of Dynamic 6. Select the Translation Address as outside 7. Click Advanced. 8. Select the Source Interface as inside and Destination Interface outside 9. click OK.

10. From the Firewall drop down select Network Object/Group.

11. Click Add and select Network Object.


Name……………..dmz-subnet

Type……………….Network

IP Address…….172.16.1.0 Netmask……….255.255.255.0

13. Click the NAT and select Add Automatic Address Translation Rule. 14. Select the Type of Dynamic 15. Select the Translation Address as outside 16. Click Advanced.

17. Select the Source Interface as dmz and Destination Interface outside 18. click OK.

19. Click OK. 20. Click Add and select Network Object.


Name……………..dmz-host-ext

Type……………….host

IP Address…….209.165.200.229

22. Click OK 23. Click Add and select Network Object.


Name……………..dmz-host-int

Type……………….host

IP Address…….172.16.1.200

25. Click the NAT and select Add Automatic Address Translation Rule. 26. Select the Type of Static 27. Select the Translation Address as dmz-host-ext 28. Click Advanced. 29. Select the Source Interface as dmz and Destination Interface outside. 30. Click OK 31. Click OK 32. Click Apply.

33. Click Send.

Step 4: Create an Access Rule.

1. From the Firewall select Access Rules. 2. Highlight outside (0 implicit incoming rules).

3. Click Add and select Add Access Rule and enter the following\

Interface: outside

Action: Permit

Source: any

Destination: dmz-host-int

Services: tcp/ftp, tcp/ftp-data, tcp/http, tcp/https, tcp/ssh, tcp/telnet

4. Click OK.

5. Click Apply. 6. Click send. 7. From the menu bar click Save. 8. Click send.

Task 6: Verifying the Local configuration.

1. From LOCAL-PC Telnet the INTERNET server using the username admin ad the password

cisco. 2. Enter Exit. 3. From LOCAL-PC Telnet the DMZ server using the username admin ad the password

cisco. 4. Enter Exit. 5. From DMZ server Telnet the INTERNET server using the username admin ad the

password cisco. 6. Enter Exit. 7. Insure you cannot Telnet LOCAL-PC or server from DMZ.

Remote Site.

Task 7: Install ASDM on the ASA device.

1. If you don’t already have a TFTP server installed, then you can download and install the Cisco TFTP server available with this lab.

2. In the ASA console enter the following:

ciscoasa # config t ciscoasa(config)#hostname ASA2 ASA2 (config) # int gi 5 ASA2 (config) # ip address 192.168.2.2 255.255.255.0 ASA2 (config) # nameif management ASA2 (config) # no shut

3. Ping the Windows loopback adapter from the ASA firewall to test connectivity. 4. If you don’t already have the ASDM, then download the ASDM647 included with this

lab. 5. In the ASA console, copy the ASDM bin file to flash on the ASA:

ASA2# copy tftp flash Address or name of remote host []? 192.168.2.10 Source filename []? asdm-647.bin Destination filename [asdm-647.bin]?

6. Set the ASA to load the ASDM during the next boot

ASA2# config t ASA2(config)# asdm image flash:asdm-647.bin ASA2(config)# http server enable ASA2(config)# http 192.168.2.10 255.255.255.255 management ASA2(config)# username admin password cisco privilege 15

7. When the copy is complete save you configuration using the ‘wr’ command and then reload the firewall using 'reload' command.

Note: to complete the next step, you will need to disable or configure your PC firewall. You may also need to disable popup in your browser and in Java configuration. Lastly you may need to add https://192.168.2.2 to the trusted site under the internet security options. You may also need to install the certificate in your browser.



Task 8: Configure the ASA using ASDM.

Step 1: Basic configuration.

1. From the ASDM window select configuration.

2. Launch the startup wizard.

3. Select modify existing configuration and click next.

4. Hostname ASA1 Domain Name Local and click next.


interface ………….GigabitEthernet0 interface name ..outside security level…….0 ip address…………209.165.200.226 subnet mask…….255.255.255.248

6. Click next.



interface ………….GigabitEthernet1 interface name ..inside security level…….0 ip address…………192.168.20.1subnet mask…….255.255.255.0

9. Click OK.

10. Click next. 11. Click Add and enter the following:

Interface…….inside Network……..any Gateway IP…209.165.200.225

12. Click OK

13. Click next. 14. Enable DHCP server on the inside interface. 15. Enter the starting IP address 192.168.0.10 and an ending IP address 192.168.10.100.

16. Click next. 17. Select use the IP address on GigabitEthernet0 interface. 18. Click next. 19. Click next. 20. Click next 21. Select do not enable smart call home and click next. 22. Verify the configuration.

23. Click finish. 24. Select send.

Step 2: Create a global service policy.

1. From the configuration tab select Firewall. 2. Select Service Policy Rules. 3. Click the Add button and select Add Service Policy Rule. 4. Click Global and make the policy Name global-policy the click next. 5. Check the box labeled Default Inspection Traffic and click next. 6. Click next. 7. Check the following inspection rules

DNS

ESMIP

FTP

H.323 H.225

HTTP

ICMP

IP-OPTIONS

NETBIOS

8. Click finish.

9. Click Apply.

10. Click send.

Task 9: Verifying the Remote configuration.

1. From REMOTE-PC Telnet the INTERNET server using the username admin ad the

password cisco. 2. Enter Exit. 3. From REMOTE-PC Telnet the DMZ server outside address 209.165.200.229 using the

username admin ad the password cisco. 4. Enter Exit. 5. Insure you cannot Telnet the LOCAL-PC or server from REMOTE-PC.

Configure the Site-To-Site VPN

For this part of our lab we will be using ASDM to configure the Local and Remote side of our Site-To-Site VPN.

Local site.



3. From the menu bar select wizards. 4. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.

5. Click Next. 6. Enter the outside address of ASA2 as the Peer IP Address. 7. Insure the VPN Access Interface is outside.

8. Click Next. 9. We will be using IKE version 1 for this lab so uncheck IKE version 2

10. Click next. 11. From the Local Network dropdown select the inside-subnet as the Local Network. 12. Select the Remote Network dropdown. 13. Click add and select network object. And enter the following:

Name: remote-subnet Type: Network. IP Address: 192.168.20.0 NetMask: 255.255.255.0

13. Click OK 14. Select remote-subnet as the Remote Network.

15. Click Next. 16. Enter cisco as the Pre-shared key. 17. Click next. 18. Take the defaults for the IKE policy and IPsec Proposal.

19. Click Next. 20. Check the remaining 2 boxes.

21. Click Next.

22. Insure the configuration is ok and click Finish.

23. Click send.

This completes the site-to-site VPN configuration on the Local site.

Remote site.



16. From the menu bar select wizards. 17. From the dropdown select VPN Wizards and select Site-to-Site VPN Wizard.

18. Click Next.

19. Enter the outside address of ASA1 as the Peer IP Address. 20. Insure the VPN Access Interface is outside.

21. Click Next. 22. We will be using IKE version 1 for this lab so uncheck IKE version 2

23. Click next.

24. From the Local Network dropdown select the inside-subnet as the Local Network. 25. Select the Remote Network dropdown. 26. Click add and select network object. And enter the following:

Name: remote-subnet Type: Network. IP Address: 192.168.10.0 NetMask: 255.255.255.0

24. Click OK 25. Select remote-subnet as the Remote Network.

26. Click Next. 27. Enter cisco as the Pre-shared key. 28. Click next. 29. Take the defaults for the IKE policy and IPsec Proposal.

30. Click Next. 31. Check the remaining 2 boxes.

32. Click Next.

33. Insure the configuration is ok and click Finish.

34. Click send.

This completes the site-to-site VPN configuration on the Local site.

Verifying the VPN configuration

1. From the REMOTE-PC telnet the LOCAL server 192.168.10.200 using the username admin and password cisco.

2. Type exit 3. From the REMOTE-PC telnet the INTERNET server 209.165.200.11 using the username

admin and password cisco. 4. Type exit 5. From the REMOTE-PC telnet the DMZ server 209.165.200.229 using the username

admin and password cisco.

6. Type exit 7. From the INTERNET Server insure you cannot access the inside of the LOCAL or REMOTE

site. 8. From the command prompt of ASA2 issue the following commands and observer the

outputs. ASA2# sh crypto isakmp sa

IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 209.165.200.226 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE There are no IKEv2 SAs ASA2# sh crypto ipsec sa interface: outside Crypto map tag: outside_map, seq num: 1, local addr: 209.165.200.234 access-list outside_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 209.165.200.226 #pkts encaps: 201, #pkts encrypt: 201, #pkts digest: 201 #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 201, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 209.165.200.234/0, remote crypto endpt.: 209.165.200.226/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 36C6AFF0 current inbound spi : DCCD0B9F inbound esp sas: spi: 0xDCCD0B9F (3704425375) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373992/28356) IV size: 16 bytes replay detection support: Y

Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x36C6AFF0 (918990832) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 4096, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4373991/28356) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 ASA2# sh access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list outside_cryptomap; 1 elements; name hash: 0x39bea18f access-list outside_cryptomap line 1 extended permit ip object inside-subnet object remote-subnet (hitcnt=3) 0x6742cde6 access-list outside_cryptomap line 1 extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=5) 0x6742cde6 ASA2# sh vpn-sessiondb --------------------------------------------------------------------------- VPN Session Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concur : Inactive ---------------------------------------------- Site-to-Site VPN : 1 : 1 : 1 IKEv1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Total Active and Inactive : 1 Total Cumulative : 1 Device Total VPN Capacity : 0 Device Load : 0% ***!! WARNING: Platform capacity exceeded !!*** --------------------------------------------------------------------------- --------------------------------------------------------------------------- Tunnels Summary --------------------------------------------------------------------------- Active : Cumulative : Peak Concurrent

---------------------------------------------- IKEv1 : 1 : 1 : 1 IPsec : 1 : 1 : 1 --------------------------------------------------------------------------- Totals : 2 : 2 ---------------------------------------------------------------------------

configuring asa site to-site vp ns

Engineering