Cisco ASA (8.4) to PIX (6.x) Site to Site VPN example

Here is a basic example of a site to site VPN between a Cisco ASA firewall running version 8.3 or higher, and a Cisco PIX firewall running version 6.x

Configuration for the Cisco ASA side of the connection:

Define network objects for your internal subnets:

object network Main-Office
subnet 192.168.1.0 255.255.255.0

object network Branch-Office
subnet 192.168.2.0 255.255.255.0

Create an access list for the VPN traffic using the network objects that you have created:

access-list VPN-to-Branch-Office extended permit ip object Main-Office object Branch-Office

Use double NAT (effictively no nat) to ensure the traffic travelling across the VPN tunnel will not have NAT applied to it:

nat (inside,outside) source static Main-Office Main-Office destination static Branch-Office Branch-Office

Create a transform set using the encryption of your choice, in this case AES 128:

crypto ipsec ikev1 transform-set myset-aes128 esp-aes esp-sha-hmac

Ensure IKE version 1 is enabled on the outside interface:

crypto ikev1 enable outside

Create a policy for phase 1 of the VPN connection:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

Configure a tunnel group containing the Pre Shared Key:

tunnel-group 172.16.0.2 type ipsec-l2l
tunnel-group 172.16.0.2 ipsec-attributes
ikev1 pre-shared-key My53cr3tPSK

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 match address VPN-to-Branch-Office
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.16.0.2            (This should be set to the ip of the outside interface of the PIX you are connecting to)
crypto map myvpnmap 10 set ikev1 transform-set myset-aes128
crypto map myvpnmap interface outside

 

Configuration for the Cisco PIX side of the connection:

Configure an access list for the VPN tunnel:

access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Make sure NAT is not applied to traffic passing across the VPN tunnel:

nat (inside) 0 access-list 100

Configure the PIX to permit IPSEC:

sysopt connection permit-ipsec

Create a policy for phase 1 of the VPN connection:

isakmp enable outside

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400

Configure keepalives to match the default setting on the ASA of 10 seconds retry 2 seconds:

isakmp keepalive 10

Create a transform set to match the ASA end of the connection, in this case AES 128:

crypto ipsec transform-set myset-aes128 esp-aes esp-sha-hmac

Create a crypto map for phase 2 of the VPN connection:

crypto map myvpnmap 10 ipsec-isakmp
crypto map myvpnmap 10 match address 100
crypto map myvpnmap 10 set pfs group5
crypto map myvpnmap 10 set peer 172.168.0.1               (This should be set to the ip of the outside interface of the ASA you are connecting to)
crypto map myvpnmap 10 set transform-set myset-aes128
crypto map myvpnmap interface outside

Configure the Pre Shared Key to match the other end of the connection

isakmp key My53cr3tPSK address 172.16.0.1 netmask 255.255.255.255 no-xauth no-config-mode

Advertisements

13 Responses to Cisco ASA (8.4) to PIX (6.x) Site to Site VPN example

  1. Omms says:

    Could you also please put on example for where someone wants to do NAT in site-to-site VPN. Thanks really appreciate. eg: Nat local private subnet to public IP before sending traffic to destination Public IP on remote side firewall, which remote side firewall then NAT to their internal network…

    Omms

  2. siva says:

    For example both the branches having same Inside range. we do natting right?

    • oasysadmin says:

      What inside IP ranges are you using for your branch offices?

      • siva says:

        I mean to stay take two clients both have same internal ip range 192.168.18.0 then we do natting right?

      • oasysadmin says:

        So you mean to say you have

        LAN 1
        192.168.18.0/24 =
        =======VPN TUNNEL=========
        LAN 2
        192.168.18.0/24

        You could try natting, although I have never used a configuration like that before. I like my LAN clients to be able to communicate directly with each other over the VPN (i.e. no NAT). I always have a different subnet for each LAN.

        e.g.

        LAN 1
        192.168.18.0/24
        ========VPN TUNNEL=========
        LAN 2
        192.168.17.0/24

  3. junior says:

    I have the same equipment and network setup but getting one way traffic from the pix to the ASA. I can reach anything behind the ASA but equipment behind the ASA cannot reach the PIX.

    • oasysadmin says:

      Hi Junior, so the VPN tunnel is up and you can access devices behind the ASA from the LAN behind the PIX, but not devices behind the PIX from the LAN attached the the ASA? Check that you are not NATing VPN traffic from the PIX LAN to the ASA LAN. On the PIX that is this part of the config:

      access-list 100 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

      nat (inside) 0 access-list 100

  4. John Landers says:

    Thanks for a super article, it’s helped me as my Cisco knowledge is weak. Here’s another tip for anyone else who struggles like me – use a Cisco VPN configuration generator to start off your config, and then tweak it from there. Here’s a good one I use – http://www.whyaws.com/tools/cisco_gen.htm

  5. Jari says:

    I have asa Version 8.2(5)
    Does this example work in this version?

    Thanks!
    Jari

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: