Community Pick: Many members of our community have endorsed this article.

Simple Site to Site VPN with Cisco PIX or ASA Using GUI and/or CLI

Britt ThompsonSr. Systems Engineer
Published:
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration information, please see my article here: Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access.

Information to Gather Before Proceeding

If you're setting up two new devices all you will need is the device addresses and the rest can be decided while running the configuration wizard. Both devices will need to be configured identically in regards to encryption, pre-shared key, authentication algorithms and PFS.

* Note : When referring to the default settings I will be using the PIX Device Configuration Manager defaults. The ASA ASDM defaults are slightly different.

Addresses and Passwords
Peer Address(es) : we will use 200.199.199.205 local site and 201.189.199.205 at the remote site
Pre-Shared Key (password you intend to use with both devices or the existing password for the other device) :  we will use presharedkey
Host(s) Internal Network Subnet : we will use 10.0.15.0 at the local site and 192.168.15.0 at the remote site
IKE Policy Data
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
Diffie Hellman Group (DH Group) : we will use the default Group 2 (1024-bit)
Transform Set Data or IPSec Rules
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
PFS : we will use no PFS settings in this configuration

Configuring Your Site-Site VPN Using the Cisco PIX Device Manager (PDM) or Cisco ASA Device Manager (ASDM)

Using the ASDM site-site VPN wizard is the simplest and fastest way to establish your link if you have little experience with the Cisco command line interface. Unlike the client VPN wizard the site-site VPN wizard actually works very well.

1. Choose the VPN Type


After launching the ASDM or PDM go to the Wizards menu and choose VPN Wizard or IPSec VPN Wizard when using the ASA. The first section of the VPN wizard asks you to choose Site to Site VPN or Remote Access VPN, we are using the Site to Site VPN wizard.
VPN wizard PIX first step - Choose VPN Type VPN wizard ASA first step - Choose VPN Type

2. Set Peer Address and Pre-Shared Key


Next, you'll be asked for the remote site peer address (outside interface IP of the VPN appliance) and the pre-shared key. Enter the peer address for the remote site and your existing or new pre-shared key.
VPN wizard PIX second step - Remote Site Peer and Pre-Shared KeyVPN wizard ASA second step - Remote Site Peer and Pre-Shared Key  

3. IKE Policy Configuration


Thirdly, you'll need to choose the IKE policy information. We will use 3DES, MD5 and DH Group 2, which are the default settings in the wizard.
VPN wizard PIX third step - IKE PolicyVPN wizard ASA third step - IKE Policy

4. Transform Set / IPSec Rules


The fourth step asks you to choose the encryption and authentication algorithm to be used in the transform sets (IPSec rules in the ASA ASDM). Again, we will use the defaults of 3DES and MD5 (in the ASA configuration un-check the box that says Enable Perfect Forward Secrecy (PFS)).
VPN wizard PIX fourth step - Transform SetVPN wizard ASA fourth step - IPSec Rules

5. Configure Host Network(s) (PIX and ASA)


The fifth step in the PIX configuration is to configure the local host internal subnet to allow traffic to from the remote site. Here we add our subnet of 10.0.15.0 and 255.255.255.0 as the mask. This will create the first part of our access control list (ACL). The fifth step in the ASA combines steps 5 and 6 in a single section as shown in the image (the 10.0.3.0/24 syntax denotes a 255.255.255.0 mask). You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
VPN wizard PIX fifth step - IPSec Traffic Selector - Local SiteVPN wizard PIX fifth step - Hosts and Networks

6. Configure Remote Host Subnet (PIX only)


The last section in the PIX wizard is to choose the remote host internal subnet to finish our ACL. Here, we enter 192.168.15.0 and 255.255.255.0 as the mask. After entering this information and submitting your changes to the PIX you will get a pop-up asking you to create the host/network and give it a name. We will give it the name of REMOTE_SUBNET.You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
VPN wizard PIX sixth step - IPSec Traffic Selector - Remote SiteVPN wizard PIX sixth step - IPSec Traffic Selector - Add Remote Subnet* NOTE: after you click finish to complete the VPN wizard you will often get errors when using the PIX. Most of the time these errors can be ignored but make a note of the errors just in case.

7. Second Device Configuration Notes


After you have your first device configured (assuming you have a secondary device that is not setup for a site-site) you need to run the wizard using the settings identical to steps 2-4. The only difference in setting up the second device is choosing the peer address (the pre-shared key needs to be the same), which should be the address of the device we just configured, and the host networks. The host networks need to be exact opposites so you will need to flip-flop steps 5 and 6 when setting up the second device.

Once you've completed these steps for your second device your tunnel is ready to bring up. The tunnel will come to life as soon as traffic is initiated from one device to the other across the VPN tunnel. You can ping from one server to another and you'll likely notice the first try fails and the usually the second or third ping request will be a reply.

To see your tunnel status in the PDM go to the "Monitoring" button and choose "IPSec VPNs" under the VPN Statistics menu.
VPN wizard PIX seventh step - Tunnel StatusTo see your tunnel status in the ASDM go to the "Monitoring" button and choose "Sessions" under the VPN Statistics menu. Within the sessions section you can filter the VPN sessions by type and choose IPSec Site-Site.
VPN wizard ASA seventh step - Tunnel Status

Configuring or Making Changes to a Site-Site Using the CLI

I personally believe, after the site-site has been established, making changes or updating a configuration is done much easier through the command line interface. If you need to enable PFS on the PIX, change IKE settings, change the peer...you can do this quick and easy using the CLI.

The relevant PIX CLI lines for this configuration are:

Local PIX Device
name 10.0.15.0 LAN_SUBNET
                      name 192.168.15.0 REMOTE_SUBNET
                      
                      access-list outside_cryptomap_20 permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0 
                      
                      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
                      crypto map outside_map 20 ipsec-isakmp
                      crypto map outside_map 20 match address outside_cryptomap_20
                      crypto map outside_map 20 set peer 200.199.199.205
                      crypto map outside_map 20 set transform-set ESP-3DES-MD5
                      crypto map outside_map interface outside
                      isakmp enable outside
                      isakmp key ******** address 200.199.199.205 netmask 255.255.255.255 no-xauth no-config-mode 
                      isakmp identity address
                      isakmp nat-traversal 20
                      isakmp policy 20 authentication pre-share
                      isakmp policy 20 encryption 3des
                      isakmp policy 20 hash md5
                      isakmp policy 20 group 2
                      isakmp policy 20 lifetime 86400

Open in new window


Remote PIX Device
name 192.168.15.0 LAN_SUBNET
                      name 10.0.15.0 REMOTE_SUBNET
                      
                      access-list outside_cryptomap_20 permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0 
                      
                      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
                      crypto map outside_map 20 ipsec-isakmp
                      crypto map outside_map 20 match address outside_cryptomap_20
                      crypto map outside_map 20 set peer 201.189.199.205
                      crypto map outside_map 20 set transform-set ESP-3DES-MD5
                      crypto map outside_map interface outside
                      isakmp enable outside
                      isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode 
                      isakmp identity address
                      isakmp nat-traversal 20
                      isakmp policy 20 authentication pre-share
                      isakmp policy 20 encryption 3des
                      isakmp policy 20 hash md5
                      isakmp policy 20 group 2
                      isakmp policy 20 lifetime 86400

Open in new window


The relevant ASA CLI lines for this configuration are:

Local ASA Device
name 10.0.15.0 LAN_SUBNET
                      name 192.168.15.0 REMOTE_SUBNET
                      
                      access-list outside_1_cryptomap extended permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0 
                      
                      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
                      crypto ipsec security-association lifetime seconds 28800
                      crypto ipsec security-association lifetime kilobytes 4608000
                      crypto map vpn_map 1 match address outside_1_cryptomap
                      crypto map vpn_map 1 set peer 200.199.199.205 
                      crypto map vpn_map 1 set transform-set ESP-3DES-MD5
                      crypto map vpn_map interface outside
                      crypto isakmp identity address 
                      crypto isakmp enable outside
                      crypto isakmp policy 10
                       authentication pre-share
                       encryption 3des
                       hash md5
                       group 2
                       lifetime 86400
                      
                      tunnel-group 200.199.199.205 type ipsec-l2l
                      tunnel-group 200.199.199.205 ipsec-attributes
                       pre-shared-key *

Open in new window


Remote ASA Device
name 192.168.15.0 LAN_SUBNET
                      name 10.0.15.0 REMOTE_SUBNET
                      
                      access-list outside_1_cryptomap extended permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0 
                      
                      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
                      crypto ipsec security-association lifetime seconds 28800
                      crypto ipsec security-association lifetime kilobytes 4608000
                      crypto map vpn_map 1 match address outside_1_cryptomap
                      crypto map vpn_map 1 set peer 201.189.199.205 
                      crypto map vpn_map 1 set transform-set ESP-3DES-MD5
                      crypto map vpn_map interface outside
                      crypto isakmp identity address 
                      crypto isakmp enable outside
                      crypto isakmp policy 10
                       authentication pre-share
                       encryption 3des
                       hash md5
                       group 2
                       lifetime 86400
                      
                      tunnel-group 201.189.199.205 type ipsec-l2l
                      tunnel-group 201.189.199.205 ipsec-attributes
                       pre-shared-key *

Open in new window


As you can see, the local and remote configuration are virtually identical aside from the LAN_SUBNET and REMOTE_SUBNET addresses and the peer addresses. These, obviously, will have to be reversed at the remote location from the local location settings. The above configurations can be copy/pasted into a device after updating the LAN_SUBNET, REMOTE_SUBNET, peer addresses, isakmp key or pre-shared key to match your environment.

If you need to change the remote peer address for your site-site you can simply remove and add the lines with the following commands:

The following will change the peer address in the Cisco PIX from 201.189.199.205 to 201.189.199.204

no crypto map outside_map 20 set peer 201.189.199.205
                      crypto map outside_map 20 set peer 201.189.199.204
                      no isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode 
                      isakmp key presharedkey address 201.189.199.204 netmask 255.255.255.255 no-xauth no-config-mode 

Open in new window


The following will change the peer address in the Cisco ASA from 201.189.199.205 to 201.189.199.204

no crypto map vpn_map 1 set peer 201.189.199.205
                      crypto map vpn_map 1 set peer 201.189.199.204
                      clear configure tunnel-group 201.189.199.205
                      tunnel-group 201.189.199.204 type ipsec-l2l
                      tunnel-group 201.189.199.204 ipsec-attributes
                         pre-shared-key presharedkey

Open in new window


After making changes to your tunnel group you may have to run a clear isakmp sa to flush the sa keys created by the tunnel. I've found that sometimes the tunnel still refuses to come up after changes are made and have had success copying the entire isakmp policy section to my clipboard and running a clear isakmp which completely removes the isakmp policy lines. Once the lines are removed you can re-add them by pasting them back in. The lines that will be cleared are as follows:

PIX ISAKMP Policy
isakmp enable outside
                      isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode 
                      isakmp identity address
                      isakmp nat-traversal 20
                      isakmp policy 20 authentication pre-share
                      isakmp policy 20 encryption 3des
                      isakmp policy 20 hash md5
                      isakmp policy 20 group 2
                      isakmp policy 20 lifetime 86400

Open in new window


ASA ISAKMP Policy
crypto isakmp identity address 
                      crypto isakmp enable outside
                      crypto isakmp policy 10
                       authentication pre-share
                       encryption 3des
                       hash md5
                       group 2
                       lifetime 86400

Open in new window


* Note: If you need to enable PFS just use this line on either device:
crypto map outside_map 20 set pfs group1

Open in new window



Basic Testing and Troubleshooting

To test the tunnel from the command line you'll need to pass traffic from a server or workstation from one end of the tunnel to the other to initiate the connection. To view the status of the tunnel you type show isakmp sa where you should receive a response that looks like this:

PIX Show ISAKMP SA
Total     : 1
                      Embryonic : 0
                              dst               src        state     pending     created
                         173.14.215.29              WAN    QM_IDLE         0           1

Open in new window


Above QM_IDLE means the tunnel is live and functional.

ASA Show ISAKMP SA
   Active SA: 1
                          Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
                      Total IKE SA: 1
                      
                      1   IKE Peer: 201.189.199.205
                          Type    : L2L             Role    : responder 
                          Rekey   : no              State   : MM_ACTIVE 

Open in new window


Above the MM_ACTIVE means the tunnel is live and functional.

If you are having trouble bringing your tunnel live you need to review your configuration lines and verify that every line matches up. Your transform set must use the same encryption, your hash must be identical, the DH Group must match, if you use PFS on one side it must be enabled and the same version on the other. This is the most common error when establishing a VPN tunnel. Also, don't forget your pre-shared key must be the same. If you still cannot bring the tunnel up you'll want to do some basic debugging to see the status of the tunnel. If you type debug crypto isakmp to initiate debugging mode and try to pass traffic across the tunnel you will see a mess of information regarding the tunnel connection. When you're finished debugging just type no debug crypto isakmp to stop the debugger. With your debugging info and your config files (show your entire configuration by typing wri t or write terminal) you can post a question on Experts Exchange and feel assured you will find a solution.

Links and Sources

Site-to-Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example
Command Line Site-Site Cheat Sheet
Technet: Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
Cisco PIX Firewall and VPN Configuration Guide
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example
How to configure Site to Site VPN on a Cisco ASA
Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access
5
26,577 Views
Britt ThompsonSr. Systems Engineer

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.