Simple Site to Site VPN with Cisco PIX or ASA Using GUI and/or CLI
Published on
35,379 Points
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration information, please see my article here: Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access.
* Note : When referring to the default settings I will be using the PIX Device Configuration Manager defaults. The ASA ASDM defaults are slightly different.
Addresses and Passwords
After launching the ASDM or PDM go to the Wizards menu and choose VPN Wizard or IPSec VPN Wizard when using the ASA. The first section of the VPN wizard asks you to choose Site to Site VPN or Remote Access VPN, we are using the Site to Site VPN wizard.
Next, you'll be asked for the remote site peer address (outside interface IP of the VPN appliance) and the pre-shared key. Enter the peer address for the remote site and your existing or new pre-shared key.
Thirdly, you'll need to choose the IKE policy information. We will use 3DES, MD5 and DH Group 2, which are the default settings in the wizard.
The fourth step asks you to choose the encryption and authentication algorithm to be used in the transform sets (IPSec rules in the ASA ASDM). Again, we will use the defaults of 3DES and MD5 (in the ASA configuration un-check the box that says Enable Perfect Forward Secrecy (PFS)).
The fifth step in the PIX configuration is to configure the local host internal subnet to allow traffic to from the remote site. Here we add our subnet of 10.0.15.0 and 255.255.255.0 as the mask. This will create the first part of our access control list (ACL). The fifth step in the ASA combines steps 5 and 6 in a single section as shown in the image (the 10.0.3.0/24 syntax denotes a 255.255.255.0 mask). You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
The last section in the PIX wizard is to choose the remote host internal subnet to finish our ACL. Here, we enter 192.168.15.0 and 255.255.255.0 as the mask. After entering this information and submitting your changes to the PIX you will get a pop-up asking you to create the host/network and give it a name. We will give it the name of REMOTE_SUBNET.You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
* NOTE: after you click finish to complete the VPN wizard you will often get errors when using the PIX. Most of the time these errors can be ignored but make a note of the errors just in case.
After you have your first device configured (assuming you have a secondary device that is not setup for a site-site) you need to run the wizard using the settings identical to steps 2-4. The only difference in setting up the second device is choosing the peer address (the pre-shared key needs to be the same), which should be the address of the device we just configured, and the host networks. The host networks need to be exact opposites so you will need to flip-flop steps 5 and 6 when setting up the second device.
Once you've completed these steps for your second device your tunnel is ready to bring up. The tunnel will come to life as soon as traffic is initiated from one device to the other across the VPN tunnel. You can ping from one server to another and you'll likely notice the first try fails and the usually the second or third ping request will be a reply.
To see your tunnel status in the PDM go to the "Monitoring" button and choose "IPSec VPNs" under the VPN Statistics menu.
To see your tunnel status in the ASDM go to the "Monitoring" button and choose "Sessions" under the VPN Statistics menu. Within the sessions section you can filter the VPN sessions by type and choose IPSec Site-Site.
The relevant PIX CLI lines for this configuration are:
Local PIX Device
Remote PIX Device
The relevant ASA CLI lines for this configuration are:
Local ASA Device
Remote ASA Device
As you can see, the local and remote configuration are virtually identical aside from the LAN_SUBNET and REMOTE_SUBNET addresses and the peer addresses. These, obviously, will have to be reversed at the remote location from the local location settings. The above configurations can be copy/pasted into a device after updating the LAN_SUBNET, REMOTE_SUBNET, peer addresses, isakmp key or pre-shared key to match your environment.
If you need to change the remote peer address for your site-site you can simply remove and add the lines with the following commands:
The following will change the peer address in the Cisco PIX from 201.189.199.205 to 201.189.199.204
The following will change the peer address in the Cisco ASA from 201.189.199.205 to 201.189.199.204
After making changes to your tunnel group you may have to run a clear isakmp sa to flush the sa keys created by the tunnel. I've found that sometimes the tunnel still refuses to come up after changes are made and have had success copying the entire isakmp policy section to my clipboard and running a clear isakmp which completely removes the isakmp policy lines. Once the lines are removed you can re-add them by pasting them back in. The lines that will be cleared are as follows:
PIX ISAKMP Policy
ASA ISAKMP Policy
* Note: If you need to enable PFS just use this line on either device:
PIX Show ISAKMP SA
Above QM_IDLE means the tunnel is live and functional.
ASA Show ISAKMP SA
Above the MM_ACTIVE means the tunnel is live and functional.
If you are having trouble bringing your tunnel live you need to review your configuration lines and verify that every line matches up. Your transform set must use the same encryption, your hash must be identical, the DH Group must match, if you use PFS on one side it must be enabled and the same version on the other. This is the most common error when establishing a VPN tunnel. Also, don't forget your pre-shared key must be the same. If you still cannot bring the tunnel up you'll want to do some basic debugging to see the status of the tunnel. If you type debug crypto isakmp to initiate debugging mode and try to pass traffic across the tunnel you will see a mess of information regarding the tunnel connection. When you're finished debugging just type no debug crypto isakmp to stop the debugger. With your debugging info and your config files (show your entire configuration by typing wri t or write terminal) you can post a question on Experts Exchange and feel assured you will find a solution.
Command Line Site-Site Cheat Sheet
Technet: Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
Cisco PIX Firewall and VPN Configuration Guide
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example
How to configure Site to Site VPN on a Cisco ASA
Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access
Information to Gather Before Proceeding
If you're setting up two new devices all you will need is the device addresses and the rest can be decided while running the configuration wizard. Both devices will need to be configured identically in regards to encryption, pre-shared key, authentication algorithms and PFS.* Note : When referring to the default settings I will be using the PIX Device Configuration Manager defaults. The ASA ASDM defaults are slightly different.
Addresses and Passwords
Peer Address(es) : we will use 200.199.199.205 local site and 201.189.199.205 at the remote site
Pre-Shared Key (password you intend to use with both devices or the existing password for the other device) : we will use presharedkey
Host(s) Internal Network Subnet : we will use 10.0.15.0 at the local site and 192.168.15.0 at the remote site
IKE Policy Data
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
Diffie Hellman Group (DH Group) : we will use the default Group 2 (1024-bit)
Transform Set Data or IPSec Rules
Encryption Level : we will use the default 3DES
Authentication Algorithm : we will use the default MD5
PFS : we will use no PFS settings in this configuration
Configuring Your Site-Site VPN Using the Cisco PIX Device Manager (PDM) or Cisco ASA Device Manager (ASDM)
Using the ASDM site-site VPN wizard is the simplest and fastest way to establish your link if you have little experience with the Cisco command line interface. Unlike the client VPN wizard the site-site VPN wizard actually works very well.1. Choose the VPN Type
After launching the ASDM or PDM go to the Wizards menu and choose VPN Wizard or IPSec VPN Wizard when using the ASA. The first section of the VPN wizard asks you to choose Site to Site VPN or Remote Access VPN, we are using the Site to Site VPN wizard.
2. Set Peer Address and Pre-Shared Key
Next, you'll be asked for the remote site peer address (outside interface IP of the VPN appliance) and the pre-shared key. Enter the peer address for the remote site and your existing or new pre-shared key.
3. IKE Policy Configuration
Thirdly, you'll need to choose the IKE policy information. We will use 3DES, MD5 and DH Group 2, which are the default settings in the wizard.
4. Transform Set / IPSec Rules
The fourth step asks you to choose the encryption and authentication algorithm to be used in the transform sets (IPSec rules in the ASA ASDM). Again, we will use the defaults of 3DES and MD5 (in the ASA configuration un-check the box that says Enable Perfect Forward Secrecy (PFS)).
5. Configure Host Network(s) (PIX and ASA)
The fifth step in the PIX configuration is to configure the local host internal subnet to allow traffic to from the remote site. Here we add our subnet of 10.0.15.0 and 255.255.255.0 as the mask. This will create the first part of our access control list (ACL). The fifth step in the ASA combines steps 5 and 6 in a single section as shown in the image (the 10.0.3.0/24 syntax denotes a 255.255.255.0 mask). You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
6. Configure Remote Host Subnet (PIX only)
The last section in the PIX wizard is to choose the remote host internal subnet to finish our ACL. Here, we enter 192.168.15.0 and 255.255.255.0 as the mask. After entering this information and submitting your changes to the PIX you will get a pop-up asking you to create the host/network and give it a name. We will give it the name of REMOTE_SUBNET.You will need to click the button with the double arrows pointing to the right to add it to the "selected" list before you can continue.
* NOTE: after you click finish to complete the VPN wizard you will often get errors when using the PIX. Most of the time these errors can be ignored but make a note of the errors just in case.7. Second Device Configuration Notes
After you have your first device configured (assuming you have a secondary device that is not setup for a site-site) you need to run the wizard using the settings identical to steps 2-4. The only difference in setting up the second device is choosing the peer address (the pre-shared key needs to be the same), which should be the address of the device we just configured, and the host networks. The host networks need to be exact opposites so you will need to flip-flop steps 5 and 6 when setting up the second device.
Once you've completed these steps for your second device your tunnel is ready to bring up. The tunnel will come to life as soon as traffic is initiated from one device to the other across the VPN tunnel. You can ping from one server to another and you'll likely notice the first try fails and the usually the second or third ping request will be a reply.
To see your tunnel status in the PDM go to the "Monitoring" button and choose "IPSec VPNs" under the VPN Statistics menu.
To see your tunnel status in the ASDM go to the "Monitoring" button and choose "Sessions" under the VPN Statistics menu. Within the sessions section you can filter the VPN sessions by type and choose IPSec Site-Site.
Configuring or Making Changes to a Site-Site Using the CLI
I personally believe, after the site-site has been established, making changes or updating a configuration is done much easier through the command line interface. If you need to enable PFS on the PIX, change IKE settings, change the peer...you can do this quick and easy using the CLI.The relevant PIX CLI lines for this configuration are:
Local PIX Device
name 10.0.15.0 LAN_SUBNET
name 192.168.15.0 REMOTE_SUBNET
access-list outside_cryptomap_20 permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 200.199.199.205
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 200.199.199.205 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Remote PIX Device
name 192.168.15.0 LAN_SUBNET
name 10.0.15.0 REMOTE_SUBNET
access-list outside_cryptomap_20 permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 201.189.199.205
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
The relevant ASA CLI lines for this configuration are:
Local ASA Device
name 10.0.15.0 LAN_SUBNET
name 192.168.15.0 REMOTE_SUBNET
access-list outside_1_cryptomap extended permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn_map 1 match address outside_1_cryptomap
crypto map vpn_map 1 set peer 200.199.199.205
crypto map vpn_map 1 set transform-set ESP-3DES-MD5
crypto map vpn_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 200.199.199.205 type ipsec-l2l
tunnel-group 200.199.199.205 ipsec-attributes
pre-shared-key *
Remote ASA Device
name 192.168.15.0 LAN_SUBNET
name 10.0.15.0 REMOTE_SUBNET
access-list outside_1_cryptomap extended permit ip LAN_SUBNET 255.255.255.0 REMOTE_SUBNET 255.255.255.0
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn_map 1 match address outside_1_cryptomap
crypto map vpn_map 1 set peer 201.189.199.205
crypto map vpn_map 1 set transform-set ESP-3DES-MD5
crypto map vpn_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group 201.189.199.205 type ipsec-l2l
tunnel-group 201.189.199.205 ipsec-attributes
pre-shared-key *
As you can see, the local and remote configuration are virtually identical aside from the LAN_SUBNET and REMOTE_SUBNET addresses and the peer addresses. These, obviously, will have to be reversed at the remote location from the local location settings. The above configurations can be copy/pasted into a device after updating the LAN_SUBNET, REMOTE_SUBNET, peer addresses, isakmp key or pre-shared key to match your environment.
If you need to change the remote peer address for your site-site you can simply remove and add the lines with the following commands:
The following will change the peer address in the Cisco PIX from 201.189.199.205 to 201.189.199.204
no crypto map outside_map 20 set peer 201.189.199.205
crypto map outside_map 20 set peer 201.189.199.204
no isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key presharedkey address 201.189.199.204 netmask 255.255.255.255 no-xauth no-config-mode
The following will change the peer address in the Cisco ASA from 201.189.199.205 to 201.189.199.204
no crypto map vpn_map 1 set peer 201.189.199.205
crypto map vpn_map 1 set peer 201.189.199.204
clear configure tunnel-group 201.189.199.205
tunnel-group 201.189.199.204 type ipsec-l2l
tunnel-group 201.189.199.204 ipsec-attributes
pre-shared-key presharedkey
After making changes to your tunnel group you may have to run a clear isakmp sa to flush the sa keys created by the tunnel. I've found that sometimes the tunnel still refuses to come up after changes are made and have had success copying the entire isakmp policy section to my clipboard and running a clear isakmp which completely removes the isakmp policy lines. Once the lines are removed you can re-add them by pasting them back in. The lines that will be cleared are as follows:
PIX ISAKMP Policy
isakmp enable outside
isakmp key ******** address 201.189.199.205 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
ASA ISAKMP Policy
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
* Note: If you need to enable PFS just use this line on either device:
crypto map outside_map 20 set pfs group1
Basic Testing and Troubleshooting
To test the tunnel from the command line you'll need to pass traffic from a server or workstation from one end of the tunnel to the other to initiate the connection. To view the status of the tunnel you type show isakmp sa where you should receive a response that looks like this:PIX Show ISAKMP SA
Total : 1
Embryonic : 0
dst src state pending created
173.14.215.29 WAN QM_IDLE 0 1
Above QM_IDLE means the tunnel is live and functional.
ASA Show ISAKMP SA
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 201.189.199.205
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Above the MM_ACTIVE means the tunnel is live and functional.
If you are having trouble bringing your tunnel live you need to review your configuration lines and verify that every line matches up. Your transform set must use the same encryption, your hash must be identical, the DH Group must match, if you use PFS on one side it must be enabled and the same version on the other. This is the most common error when establishing a VPN tunnel. Also, don't forget your pre-shared key must be the same. If you still cannot bring the tunnel up you'll want to do some basic debugging to see the status of the tunnel. If you type debug crypto isakmp to initiate debugging mode and try to pass traffic across the tunnel you will see a mess of information regarding the tunnel connection. When you're finished debugging just type no debug crypto isakmp to stop the debugger. With your debugging info and your config files (show your entire configuration by typing wri t or write terminal) you can post a question on Experts Exchange and feel assured you will find a solution.
Links and Sources
Site-to-Site IPsec VPN Between ASA/PIX and an IOS Router Configuration ExampleCommand Line Site-Site Cheat Sheet
Technet: Configuring IPSec Tunnel Mode VPN Between ISA Server 2004 and Cisco PIX v6.3.1
Cisco PIX Firewall and VPN Configuration Guide
LAN-to-LAN Tunnel Between ASA 5505 and ASA/PIX Configuration Example
How to configure Site to Site VPN on a Cisco ASA
Out of the box configuration of a Cisco PIX 501/506e or ASA 5505/5510 with VPN Client access
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.