HomeНаука и техникаRelated VideosMore From: soundtraining.net

Cisco ASA Site-to-Site VPN Configuration (Command Line): Cisco ASA Training 101

642 ratings | 213006 views
http://www.soundtraining.net Author, speaker, and IT trainer Don R. Crawley demonstrates how to configure a site-to-site VPN between two Cisco ASA security appliances. The demo is based on software version 8.3(1) and uses IPSec, ISAKMP, tunnel-groups, Diffie-Hellman groups, and an access-list. The demo is based on the popular book "The Accidental Administrator: Cisco ASA Security Appliance: Step-by-Step Configuration Guide (http://amzn.com/1449596622) and includes a link where you can download a free copy of the configs and the network diagram.
Html code for embedding videos on your blog
Text Comments (131)
Hasan Reza (1 month ago)
##Command replaced in newer version by crypto ikev2 enable outside ##Preshared key command ikev1 pre-shared-key 0 pass1234 ##Crypto Isakmp policy 10## crypto ikev1 policy 10 ##Crypto Isakmp policy 10 lifetime 86400## crypto ikev1 policy 10 lifetime 86400 More as i work
Hasan Reza (1 month ago)
Excellent Vdo , It could not have been made simpler ,
The video is very helpful for VPN Creation for CISCO firewall using Site-to-Site / IPsec or SSL protocol to allow secure traffic between two or more networks. Configuration of VPN parameters on primary and pear device and setting up VPN Access Rule. Sancuro provide remote services. Purchase these services on https://www.sancuro.com/vpn-site-to-site-ipsec-ssl-configuration-in-cisco-firewall.html
CautionCU (2 months ago)
Nice videos broseph
kailash chandra (7 months ago)
This video is awesome so far and very helpful to configure Site To Site VPN.
Cary Budach (10 months ago)
I'm running identical 5505's, both fresh out of the box, both running 9.1(7)23. I've used the configs in this video in 4 other test scenarios. Today I tried for the 5th time. For the life of me, I've never been able to get the VPN working.
Rocking the ages (1 year ago)
Don, I was following along with this config. I noticed you configured the first tunnel group statement to be and stated that this was the "outside interface" address of the AS02 (remote) firewall. However, your diagram in the beginning of the video doesn't show that as being the IP address of the AS02 device. I recorded it to be I miss something?
Don Crawley (1 year ago)
Go with the actual address you assigned to the outside interface on ASA02. My apologies for the confusion. The key is to ensure the outside interface addresses on both ASAs are on the same subnet, since they're directly connected. In the real world, they would probably be on different subnets with a router (or routers) betrween them. Hope this clarifies. Thanks for your question.
Jimmy Kan (1 year ago)
Hello Don, I have two ASA5505 both running v8.2(5), I want to connect the two back to back on the outside interfaces, can this work with site2site vpn configurations. maybe you have a sample of how to do this. Thanks!
Don Crawley (1 year ago)
Hi Jimmy. Yes, you can do what you mentioned. I don't remember which software version I used in this video, but it could be 8.2. If not, try searching on this term "cisco asa 8.2 site to site vpn configuration example" and you'll find several guides. Thanks for your comment.
subh samal (1 year ago)
It is a request to provide the updated link to the downloadable free copy.
Don Crawley (1 year ago)
You're welcome! Thanks again for letting me know about the broken link.
subh samal (1 year ago)
You are awesome. Thank you.
Don Crawley (1 year ago)
Thanks for catching the broken link. It's fixed now. I'm sorry I missed it.
glennsftn (1 year ago)
Is there something you enabled for creating a S2S VPN? I've already generated RSA keys, and have both the inside and outside interfaces configured. I do not see the option to enable isakmp on the outside interface. System image file is "disk0:/asa921-k8.bin" ciscoasa(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot ciscoasa(config)# crypto isakmp ciscoasa(config)# show activation-key Serial Number: XXXXXXXX Running Permanent Activation Key: 0xXXXXXXXXXXXXXXXXXXXXXX Licensed features for this platform: Maximum Physical Interfaces : 8 perpetual VLANs : 3 DMZ Restricted Dual ISPs : Disabled perpetual VLAN Trunk Ports : 0 perpetual Inside Hosts : 10 perpetual Failover : Disabled perpetual Encryption-DES : Enabled perpetual Encryption-3DES-AES : Enabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 10 perpetual Total VPN Peers : 12 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual Cluster : Disabled perpetual This platform has a Base license. The flash permanent activation key is the SAME as the running permanent key.
glennsftn (1 year ago)
Huh! I wonder why they have IKE phase1 and phase 2 separate from ISAKMP. I'll play around with it. Thank you, sir, for the quick response.
Don Crawley (1 year ago)
The software version you're using is more recent than what was used in the video. In later versions of the software, Cisco changed from using the ISAKMP commands to IKE commands. Try this link: http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli.html
cornelius mcrae (1 year ago)
really good video
Jimmy Kan (2 years ago)
Don, when I get to the settings #crypto map outside_map 1 set (there's no pfs option, the only options are ikev1, peer and security-association) what should I use, I am using v8.4(2) Thanks!
Hello! Thank you for lessons!!! It is help me in my work! I need an advice. How VPN will work if I have two ASAs. MAIN ASA(has 2 up links to internet) and REMOTE ASA (has one link). And if MAIN chanel on MAIN ASA will down off and MAIN ASA start work on BACK chanel, how will work VPN? What I need to configire?
Jimmy Kan (2 years ago)
Hello Don, It looks like the instructions on this tutorial do not work on version 8.4(2)? mine is v8.4(2) and crypto has different configure mode (ikev1, ipsec, key and map) no isakmp. Thanks,
Don Crawley (2 years ago)
Jimmy, yes, you'll need to use the IKE commands instead of ISAKMP. Thanks for your comment.
Fabian Solis (2 years ago)
Hi, why when I try to configure the route, the last step, with my default gateway I receive the message "Invalid next hop address, it belongs to one of our interfaces". Thanks for your help.
Fabian Solis (2 years ago)
Hi Don, thanks for your answer. I realized that after reading some more documentation. The problem i'm having now is that I'm able to establish the tunnel but no data passes to either side. If you could give me any hint I'd be greatly appreciated.
Don Crawley (2 years ago)
Hi Fabian, when it's asking for the default gateway in the firewall's configuration, it's referring to the external gateway, which is probably your service provider's router. It can't be an interface on the ASA, because that would create a loop. Hope that helps.
Aiden Jayden (2 years ago)
It has a unique way for Cisco to connect to VPN, but its just too easy to use without tutorials https://www.hidemyass.com/vpn/r20594 Remember (No good thing comes free its Just $6 Monthly) give it a try, You will do same #wink
Ibrar Hussain (2 years ago)
Hi, Great video I configured L2L by watching this video and studying couple of articles on VPN, But i did an identical configuration on my ASA's and its working fine. Not only this your video helped me to configure DMZ as well, so thanks.
Sky1 (2 years ago)
If I put an administrative distance on that route statement could I use this as a Floating VPN route in case of an MPLS failure where the route disappears from the Routing table?
mohd ibrahim ali (2 years ago)
Excellent Channel, great help
Samih Khan (2 years ago)
hi all - can any one tell me if i do a password recovery on a ASA 5512 will it delete all my config etc?
soundtraining.net (2 years ago)
If password recovery has been disabled, it will delete your config.
Bernard Rivera (2 years ago)
Hi Don, Thanks for the video it help to solve my issue.. I have a question : why I cant ping vice versa? PC ASA02 ( can ping PC ASA01( But PC ASA01( can not ping PC ASA02 ( Pls. advice..
Md. Alamgir Hossain (2 years ago)
Thank you very much Sir! Just viewing your configuration steps, I have solved my problem.
Brahim NAITALI (2 years ago)
Thanks Sir, I have a question, is it possible to configure site to multiple sites vpn using ASA5510 ? I have a central site with asa5510 and multiple sites (cisco routers)must connected to it via adsl vpn, I used to use cisco router in the central site but the vpn is down due to material problem and I try to replace it by ASA5510
Dacia Sandero (3 years ago)
Thank you for this very good video especially the command at the end of the video called route, this blow my issue away :-) I am goinig to buy your book.
Thomas Pane (3 years ago)
I need to hook up 5 new offices to each other.  1 office will be the main office.  How can I do this?  What equipment would you recommend buying?   Thanks for the help.
Euan Phipps (3 years ago)
Hi Don, What if I had an MPLS connection on the same ASA and I wanted to route traffic destined for down towards the MPLS gateway? Why does all traffic ( go over the VPN if you specify a static route to the MPLS on the ASA?
Prashant Sharma (3 years ago)
This is the best VPN setup video on youtube so far. I am new to VPN learning and I watched videos well over 6-7 hours. No other video on sit-2-site vpn can beat this one. Thank you for making this video Don! God bless you  :)
ploperator (3 years ago)
you don't need to configure a default route, you should just configure a route to the remote subnet with the outside ip address of the remote firewall as the next hop.
Pedro Trejo (3 years ago)
Hi sr, It could be possible to configure a VPN between ASA IOS 8.4(5) and ASA IOS 7.2(2) ? Or I have to upgrade my firewall? Thanks
Don Crawley (3 years ago)
+Pedro Trejo My apologies for the delayed reply. Yes, you should be able to configure such a VPN, as long as the settings match on each end (except for IP addresses).
Boz Bostwick (3 years ago)
Hello, I'm actually from Tacoma, but that's not the point.  I'm having an issue with the nat command.  nat (inside,outside) 1 source static net-local net-local destination net-remote net-remote.  The error carrot points to the comma in (inside,outside) and says -remote net-remote.  All other commands upto this point have worked.  I have Cisco ASA 5505 with 6.4(5).  Any Ideas??
whead-Ul-Islam Akhand (3 years ago)
Sir....How can i get your video on ASA ?
whead-Ul-Islam Akhand (3 years ago)
thanks...Sir .
Don Crawley (3 years ago)
+whead-Ul-Islam Akhand All of my videos are available on YouTube at this time. There may be other places were you can access them in the future. Thanks for asking.
Jonathan Bignall (3 years ago)
Thanks for this informative video. I have been working with l2l VPN tunnels on Asa's and the old Pix appliances for some years, but I still learnt some useful stuff. That configuration looks much tidier and simpler than the one I've been using, I think I may have over complicated my acl, I will review it! Thanks again.
Manoj Kumar (3 years ago)
Hi Don, Thank you so much for this video I have one doubt where is ip address
Atman Ghemari (2 years ago)
I mean is it just an IP you have to use in both router as a gateway?
Atman Ghemari (2 years ago)
is this a default gateway in Firewall 1 site or in Firewall2 site? as I can see your 2 gatways are &
soundtraining.net (3 years ago)
Hi Manoj, Great question. The address is not shown on the diagram, but it represents a default gateway. Even in a point-to-point configuration, such as the one used for the video, it's still necessary to include a default gateway in order to bring up the tunnel. Thanks for your comment.
Manoj Yesodharan (4 years ago)
hi sir, I have ASA5512-X 9.1 IOS and Cisco 877 router on another side.Both sides have dynamic ip .I configured ASA and remote access via VPN client establishes but SITE-SITE VPN do not establish.ASA is replaced by Cisco 1841 router at Headoffice.All router at sites was connected to 1841 via dynamic ip VPN site to site.After i put ASA and configured tunnel is not establishing can you please help what went wrong.
Don Crawley (3 years ago)
Ah, that makes sense. I didn't realize you had a Linksys router in the mix. Thanks for clarifying.
Manoj Yesodharan (3 years ago)
I have set dyndns on linksys router to resolve the ip
Don Crawley (3 years ago)
+Manoj Yesodharan That's great! You're still going to have a challenge dealing with those dynamic IP addresses. Every time they change, you'll have to adjust your firewall's VPN settings. If they don't change very often, it should be too much of a problem for you. Thanks for your follow up comment. I really appreciate hearing how things are going.
Manoj Yesodharan (3 years ago)
i did it with dynamic ip and its working cool.thanks
soundtraining.net (3 years ago)
Hi Manoj, You're going to have difficulty getting a site-to-site VPN to work with dynamic addresses on the outside interfaces.The other issues sound to me like routing problems. Thanks for your comment.
Rockarina (4 years ago)
Hi Don, when backing up and copying configuration settings from one ASA-5505 to another will VPN configuration settings also be backed up when initiating the command in PuTTY? Probably a stupid question but im a web developer and am new to Working on Cisco Security Appliances.
soundtraining.net (3 years ago)
Hi Trocz, The simple answer is anything in the configuration file is backed up when you perform a copy running-config command. That includes the VPN configs. Thanks for your comment.
andryll barcarse (4 years ago)
Hi sir, is it possible to have a site to site VPN between cisco asa and sonicwall?
soundtraining.net (3 years ago)
Hi Andryll, Sure, as long as the settings on each end (protocols, key lengths, and other settings) match. It should work. :) Thanks for your comment.
F. Trappey (4 years ago)
is there a way to adjust the MTU size going across the tunnel on the ASA like you can on a router?
soundtraining.net (3 years ago)
Yes. See this page: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_routed.html#wp1112567 Thanks for your comment.
Mohamed Elhatab (4 years ago)
Hi I had followed your direction and bought the book, it is an amazing startup to use. However, I am trying to install VPN in my Lab and able to get an the tunnel established but no ping to the other internal network  Let me know if you have any thoughts. I can post my configuration for the two sites if that possible! Thanks Mohamed
soundtraining.net (3 years ago)
Hi Mohamed, Make sure the firewalls on the target hosts allow ping packets (ICMP). That's the most common problem I see. Thanks for your comment.
diego IR (4 years ago)
I have a problem, im trying to configure 2 asa firewalls but running different ios versions, the first asa has ios 8.3 and the second has 8.4, i dont know how to to configure them since most examples describe scenarios with firewalls using same ios version and commands. help please!
soundtraining.net (3 years ago)
Hi Diegogiga, 8.3 and 8.4 are very similar. I haven't done that exact configuration, but I haven't had any trouble using 8.3 documentation on an ASA running 8.4.  Thanks for your comment.
david wang'ombe (4 years ago)
Hi Don, Thanks for the simple explanation. How would I go about this set up if one of the IPSEC end was terminating into a cisco router and not as ASA? ASA<-->CISCO 3745 Would I still need the tunnel group part of the configuration? 
soundtraining.net (3 years ago)
Hi David, The tunnel group command does several things, including identifying the peer at the other end of the connection. I haven't done the configuration you describe, but I don't see how it could work without a tunnel group. Thanks for your comment. Apologies for my delay in responding.
Sorry ,but I am using ios 8.4.2 and unfortunately it has not the comandos of crypto isakmp . example: crypto isakmp enable outside . It has not that and the other options . what could be the problem ?
ploperator (4 years ago)
what about "crypto ikev1" ?
ciscoasa(config)# sh ver Cisco Adaptive Security Appliance Software Version 8.4(2) Compiled on Wed 15-Jun-11 18:17 by builders System image file is "Unknown, monitor mode tftp booted image" Config file at boot was "startup-config" ciscoasa(config)# crypto isakmp ? configure mode commands/options:   disconnect-notify  Enable disconnect notification to peers   identity           Set identity type (address, hostname or key-id)   nat-traversal      Enable and configure nat-traversal   reload-wait        Wait for voluntary termination of existing connections                      before reboot
Plop Man (4 years ago)
Don, obviously this works but shouldn't there be part of the config where the DF group is specified?
KartingConnect.com (4 years ago)
Hi Don, I am stuck on the nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote....I am getting error message "ERROR: % Invalid input detected at '^' marker." What is the syntaxt since I am running 8.2(5) version? Thaks for your help. Bernard
soundtraining.net (4 years ago)
Bernard, the problem is that you're running version 8.2(5) of the software and this configuration only works in versions 8.3 and later. Cisco made a major change in syntax starting with version 8.3. Here's a link to a Cisco configuration guide for NAT on software version 8.2 and earlier. Good luck! Thanks for your comment.
Jeremy Roy (4 years ago)
You are my new hero. Thank you.
soundtraining.net (4 years ago)
No, you're my hero for watching the video and commenting! Thanks, Jeremy.
Cisco2Junos (4 years ago)
Thanks, hard to understand first if i am new to VPN but after playing 2 times i get to know the concept behind..
soundtraining.net (4 years ago)
Yeah, it's a lot of stuff to process if you're new to VPNs, but just keep working with it and you'll get it. Thanks for your comment.
Pyro72x (4 years ago)
I tried adding the following line to our new asa 5505 ver 8.2(5) and it would not take. nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote..Thoughts on a work around? I have added an access-list to the inside interface called NONAT and added the internal and external networks this way. I think may work thoughts?
Pyro72x (4 years ago)
Great thanks!
soundtraining.net (4 years ago)
Software versions prior to 8.3 use different syntax. For example, to configure NO NAT with your software, you use the "nat 0" statement. Here's a link with more information: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_bypassing.html#wp1080803 Hope that helps. Thanks for your comment.
MrTameem (4 years ago)
Its simple and helpful.... Do you have WAAS config videos ? anyway thanks for uploading ....cheers////
Branimir Karajcic (5 years ago)
That default route at the end is not necessary for site 2 site VPN. It is necessarily only if default route is not configured.
Branimir Karajcic (4 years ago)
+soundtraining.net Quick question if I am trying to set a second site to site VPN connection, should I use different map number? For example: crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs group1 crypto map outside_map 1 set peer crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside If I was gonna have: crypto map another_map 1 match address another_1_cryptomap crypto map another_map 1 set pfs group1 crypto map another_map 1 set peer crypto map another_map 1 set transform-set ESP-3DES-SHA crypto map another_map interface outside Should "1" be something else or is the fact that  outside_map is different than another_map enough?
soundtraining.net (5 years ago)
You're correct. If you already have a default route configured, it's not necessary to configure a new one. Thanks for your comment.
ploperator (5 years ago)
doesn't configuring a default route that points to the other ASA mean that traffic whether it's encrypted or not can't go anywhere but to the other ASA?
ploperator (5 years ago)
why is it phase 1 things like isakmp timeouts and preshared key are configured under IPsec attributes?
ploperator (5 years ago)
what does the tunnel-group command do?
ploperator (5 years ago)
is this a route based vpn or policy based? I confused
ReadAboutJesus InQuran (5 years ago)
This is so confusing. Sometimes this video shows without Routers and sometimes with Routers. What is going on? The other video has a gateway of
ploperator (5 years ago)
Don, I'm using 8.4 but can't even type the command 'crypto isakmp enable outside'. Has there been a change to this command that you know of? Or am I going bonkers?
soundtraining.net (5 years ago)
Hi Peter, the NAT statement (nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote) is confusing, isn't it? It's designed to prevent VPN traffic from being NAT'd out onto the Internet instead of going across the tunnel. It has the same effect as the old NAT 0 command from earlier versions of the ASA software. Thanks for your question.
Peter Taylor (5 years ago)
Hi Don, Can you explain why you are using nat (inside,outside) rule with this VPN as with this configuration you already have reachability between your remote sites without NAT
soundtraining.net (5 years ago)
Glad you like it. Thanks for the comment.
KRISHNA KUMAR A (5 years ago)
Simple and Clear....Thanks for the Video.....
soundtraining.net (5 years ago)
I'm glad you like it. Thanks for your comment.
Pradeep BC (5 years ago)
very Nice and clear :)
soundtraining.net (5 years ago)
I'm glad you like it. Thanks for your comment.
Vincent Isom (5 years ago)
Great video
Minh Truong (5 years ago)
Thanks ur video...
soundtraining.net (5 years ago)
Thanks for the suggestion. I'll definitely consider producing a Packet Tracer video. Great idea!
Dave Tejas (5 years ago)
Please Upload same video in Packet Tracer.
soundtraining.net (5 years ago)
Sorry about the delay in replying. I don't currently have videos on the topics you mentioned, but will certainly consider producing them. Thanks for the suggestion!
soundtraining.net (5 years ago)
Currently working on making a video on remote access VPNs. I needed to add more flash memory, so I'm waiting for it to arrive. Should have the video ready soon, maybe by this weekend.
soundtraining.net (5 years ago)
I'm glad you liked it. Yes, I'll consider creating a video on remote access VPNs. Subscribe to the channel to learn when the video is completed and uploaded.
Deep Diddi (5 years ago)
your video was really helpful, can you kindly explain how to create remote access VPN as well plz.
familjabakija (5 years ago)
Mr. Crawley congrats to very good presentation. I'm trying to use your instructions getting VPN between two ASA Firewalls. ASA version 8.2.5. I can create net-local and net-remote but when I try to type subnet command - error message. The rest of config can be done except nat (inside,outside) ...- which is related to network objects. My question: Is it a substitute command (ASA v8.2.5) for those to commands ( creating network objects and nat (inside,outside) ...). thanks.
suggst65 (6 years ago)
Don Crawley (6 years ago)
The cryptomap and the ACL are two separate components of the configuration. The ACL identifies the traffic flow from one inside subnet to the other inside subnet. The cryptomap settings that interact with the other appliance must match, for example the transform set settings such as IPSec and hash algorithms on one appliance must match the other. Really, for simplicity, I always try to make both ends of the tunnel mirror each other, except, obviously, for IP addresses.
suggst65 (6 years ago)
How important is it to match the services applied in your ACL (Cryptomap) to your peers ACL?
nunyabizniss (6 years ago)
Excellent video!
soundtraining.net (6 years ago)
Check your ASA's software version number. The video is based on 8.3 with a base license. If you're running a different version, your command options may be different. Good luck!
message 2/2 (These are my options:) FractalRocks55(config)# crypto isakmp ? configure mode commands/options: disconnect-notify Enable disconnect notification to peers identity Set identity type (address, hostname or key-id) nat-traversal Enable and configure nat-traversal reload-wait Wait for voluntary termination of existing connections before reboot that's all I have, can you help, thx, Jonathan
message 1/2 your video is very interesting but it seems I don't have the same menus on my ASA5505 -: For example, you have the command: "(config) crypto isakmp enable outside" - I don't have that command "... enable outside" also: you do: "(config) crypto isakmp policy 10 ..." I don't have that command "... policy 10" These are my options: see second message
Joshua Leaser (6 years ago)
Check out one of the best Free VPN with Download link and Tut. !! watch?v=W7rZLuphFgw
Gianluca Del Vecchio (6 years ago)
@marioosh80 I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 it works but if I configure the only route to the remote peer (route outside it doesn't work. Do you know the cause please? thanks
Gianluca Del Vecchio (6 years ago)
I tryed with two ASA directly connected... if I configure the routing like in the clip (route outside 0 0 it works but if I configure the only route to the remote peer (route outside it doesn't work. Do you know the cause please? thanks
marioosh80 (6 years ago)
Nice video. My suggestion to configure NAT in less confusing way is to create an access list (something like: access-list extended nat0 permit ip object net-local object net-remote) and then apply nat (inside) 0 access-list nat0
soundtraining.net (7 years ago)
@wonderland1111 This only applies to ASA devices. I took a quick look at the WRV210 and I'd be surprised if its interface was the same as an ASA. I wish I had better news for you, but thanks for the question.
Gonzalo Fernandez (7 years ago)
is this aplicable to a cisco wrv210??? thanks

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.