Browse All Articles > Simple Site to Site VPN with Cisco PIX or ASA Using GUI and/or CLI
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration information, please see my article here: Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access.
Information to Gather Before Proceeding
If you're setting up two new devices all you will need is the device addresses and the rest can be decided while running the configuration wizard. Both devices will need to be configured identically in regards to encryption, pre-shared key, authentication algorithms and PFS.
* Note : When referring to the default settings I will be using the PIX Device Configuration Manager defaults. The ASA ASDM defaults are slightly different.
Addresses and Passwords
Peer Address(es) : we will use 200.199.199.205 local site and 201.189.199.205 at the remote site
Pre-Shared Key (password you intend to use with both devices or the existing password for the other device) : we will use presharedkey
Host(s) Internal Network Subnet : we will use 10.0.15.0 at the local site and 192.168.15.0 at the remote site
IKE Policy Data
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
Diffie Hellman Group (DH Group) : we will use the default Group 2 (1024-bit)
Transform Set Data or IPSec Rules
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
PFS : we will use no PFS settings in this configuration
Configuring Your Site-Site VPN Using the Cisco PIX Device Manager (PDM) or Cisco ASA Device Manager (ASDM)
Using the ASDM site-site VPN wizard is the simplest and fastest way to establish your link if you have little experience with the Cisco command line interface. Unlike the client VPN wizard the site-site VPN wizard actually works very well.
1. Choose the VPN Type
After launching the ASDM or PDM go to the Wizards menu and choose VPN Wizard or IPSec VPN Wizard when using the ASA. The first section of the VPN wizard asks you to choose Site to Site VPN or Remote Access VPN, we are using the Site to Site VPN wizard.
2. Set Peer Address and Pre-Shared Key
Next, you'll be asked for the remote site peer address (outside interface IP of the VPN appliance) and the pre-shared key. Enter the peer address for the remote site and your existing or new pre-shared key.
3. IKE Policy Configuration
Thirdly, you'll need to choose the IKE policy information. We will use 3DES, MD5 and DH Group 2, which are the default settings in the wizard.
4. Transform Set / IPSec Rules
The fourth step asks you to choose the encryption and authentication algorithm to be used in the transform sets (IPSec rules in the ASA ASDM). Again, we will use the defaults of 3DES and MD5 (in the ASA configuration un-check the box that says Enable Perfect Forward Secrecy (PFS)).
5. Configure Host Network(s) (PIX and ASA)
The fifth step in the PIX configuration is to configure the local host internal subnet to allow traffic to from the remote site. Here we add our subnet of 10.0.15.0 and 255.255.255.0 as the mask. This will create the first part of our access control list (ACL). The fifth step in the ASA combines steps 5 and 6 in a single section as shown in the image (the 10.0.3.0/24 syntax denotes a 255.255.255.0 mask). You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
6. Configure Remote Host Subnet (PIX only)
The last section in the PIX wizard is to choose the remote host internal subnet to finish our ACL. Here, we enter 192.168.15.0 and 255.255.255.0 as the mask. After entering this information and submitting your changes to the PIX you will get a pop-up asking you to create the host/network and give it a name. We will give it the name of REMOTE_SUBNET.You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue. * NOTE: after you click finish to complete the VPN wizard you will often get errors when using the PIX. Most of the time these errors can be ignored but make a note of the errors just in case.
7. Second Device Configuration Notes
After you have your first device configured (assuming you have a secondary device that is not setup for a site-site) you need to run the wizard using the settings identical to steps 2-4. The only difference in setting up the second device is choosing the peer address (the pre-shared key needs to be the same), which should be the address of the device we just configured, and the host networks. The host networks need to be exact opposites so you will need to flip-flop steps 5 and 6 when setting up the second device.
Once you've completed these steps for your second device your tunnel is ready to bring up. The tunnel will come to life as soon as traffic is initiated from one device to the other across the VPN tunnel. You can ping from one server to another and you'll likely notice the first try fails and the usually the second or third ping request will be a reply.
To see your tunnel status in the PDM go to the "Monitoring" button and choose "IPSec VPNs" under the VPN Statistics menu. To see your tunnel status in the ASDM go to the "Monitoring" button and choose "Sessions" under the VPN Statistics menu. Within the sessions section you can filter the VPN sessions by type and choose IPSec Site-Site.
Configuring or Making Changes to a Site-Site Using the CLI
I personally believe, after the site-site has been established, making changes or updating a configuration is done much easier through the command line interface. If you need to enable PFS on the PIX, change IKE settings, change the peer...you can do this quick and easy using the CLI.
The relevant PIX CLI lines for this configuration are:
As you can see, the local and remote configuration are virtually identical aside from the LAN_SUBNET and REMOTE_SUBNET addresses and the peer addresses. These, obviously, will have to be reversed at the remote location from the local location settings. The above configurations can be copy/pasted into a device after updating the LAN_SUBNET, REMOTE_SUBNET, peer addresses, isakmp key or pre-shared key to match your environment.
If you need to change the remote peer address for your site-site you can simply remove and add the lines with the following commands:
The following will change the peer address in the Cisco PIX from 201.189.199.205 to 201.189.199.204
After making changes to your tunnel group you may have to run a clear isakmp sa to flush the sa keys created by the tunnel. I've found that sometimes the tunnel still refuses to come up after changes are made and have had success copying the entire isakmp policy section to my clipboard and running a clear isakmp which completely removes the isakmp policy lines. Once the lines are removed you can re-add them by pasting them back in. The lines that will be cleared are as follows:
To test the tunnel from the command line you'll need to pass traffic from a server or workstation from one end of the tunnel to the other to initiate the connection. To view the status of the tunnel you type show isakmp sa where you should receive a response that looks like this:
PIX Show ISAKMP SA
Total : 1Embryonic : 0 dst src state pending created 173.14.215.29 WAN QM_IDLE 0 1
Above QM_IDLE means the tunnel is live and functional.
ASA Show ISAKMP SA
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 11 IKE Peer: 201.189.199.205 Type : L2L Role : responder Rekey : no State : MM_ACTIVE
Above the MM_ACTIVE means the tunnel is live and functional.
If you are having trouble bringing your tunnel live you need to review your configuration lines and verify that every line matches up. Your transform set must use the same encryption, your hash must be identical, the DH Group must match, if you use PFS on one side it must be enabled and the same version on the other. This is the most common error when establishing a VPN tunnel. Also, don't forget your pre-shared key must be the same. If you still cannot bring the tunnel up you'll want to do some basic debugging to see the status of the tunnel. If you type debug crypto isakmp to initiate debugging mode and try to pass traffic across the tunnel you will see a mess of information regarding the tunnel connection. When you're finished debugging just type no debug crypto isakmp to stop the debugger. With your debugging info and your config files (show your entire configuration by typing wri t or write terminal) you can post a question on Experts Exchange and feel assured you will find a solution.
Comments (0)