How to configure VPN between Cisco Router and ASA Firewall?

author
,
System Administrator
  • Total 4 Answers
  • 15844
Can You answer this question?
author

SITE TO SITE VPN BETWEEN CISCO ROUTER AND CISCO ASA USING IKEV1 WITH DIGITAL CERTIFICATE

 

In our topology R1 and ASA1 are VPN peers, having C1 and C2 as end client which are going to communicate with each other using secure tunnel and R2 is the router, routing only public IP address.

 

Before VPN configuration we have made the VPN peers reachable to each other and DIGITAL CERTIFICATE has been enrolled by peers.

 

We are using

AES for encryption algorithm (for IKE phase 1 and IKE phase 2)

SHA as hashing algorithm (for IKE phase 1 and IKE phase 2)

Diffie-Hellman group 5

 

 

CONFIGURATION OF VPN AS FOLLOWS

On R1 in global configuration mode

  crypto isakmp policy 1

  authentication rsa-sig

  encryption aes

  hash sha

  group 5

  lifetime 1800

  exit

  crypto isakmp identity dn

  crypto ipsec transform-set MY-SET esp-aes esp-sha-hmac

  mode tunnel

  exit

  crypto ipsec security-association lifetime seconds 1800

  access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255

  crypto map MY-MAP 10 ipsec-isakmp

  set transform-set MY-SET

  set peer 102.1.1.100

  match address 101

  exit

  int f0/0

  crypto map MY-MAP

  exit

 

ON ASA1

 crypto isakmp policy 1

 authentication rsa-sig

 encryption aes

 hash sha

 group 5

 lifetime 1800

 exit

 tunnel-group 101.1.1.100 type ipsec-l2l

 tunnel-group 101.1.1.100 ipsec-attributes

 ikev1 trust-point ABCD

 exit

 crypto ipsec ikev1 transform-set MY-SET esp-aes esp-sha-hmac

 crypto ipsec security-association lifetime seconds 1800

 access-list 102 permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0

 crypto map MY-MAP 10 set ikev1 transform-set MY-SET

 crypto map MY-MAP 10 set peer 101.1.1.100

 crypto map MY-MAP 10 match address 102

 crypto map MY-MAP 10 set trustpoint ABCD

 crypto map MY-MAP interface outside

 crypto ikev1 enable outside

 

I hope it solves your query. Its a basic practical and part of CCNP Security Certification syllabus. If you want to learn more about VPN technologies, you can prepare for CCNP Security and CCIE Security Certifications through some training institute or by self study.

Please don't hesitate to post your doubts in the comments section. We are here to help.

 

Practical and solution provided by Mr. Vishwajeet Rathore - Sr. Trainer - NB

author
,
Principal Network Architect - Array Networks

Amazing reply Paras sir.

author

I don't know but you can consult some of my ideas.

cookie clicker 3 free online

 

author

This is a very nice one and gives in-depth information. I am really happy with the quality and presentation of the article. I’d really like to appreciate the efforts you get with writing this post. Thanks for sharing.
ccie course in Bangalore