Configure Tunnel on ASA Firewall

ASA_tunnel.md

Configure Tunnel on ASA

Phase 1 Configuration

Configure IKE V1

ASA1(config)# crypto ikev1 policy 10 
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes 
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 86400

Note:

• policy: the lower the number the higher the priority
• SHA for hashing
• Diffie Hellman group 2
• lifetime 86400

Note:

• ikev1 may need to be isakmp for versions before 8.4

Enable it on the interface:

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address 

Note:

• OUTSIDE is interface in this case
• identity address means that it is bound to the address

Specify remote peer

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

Note:

• IP Address is the IP address of the OUTSIDE interface on the ASA

Specify pre-shared key

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

Configure interesting traffic

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Define Transform Set to allow peers to negotiate encryption and authentication

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

The transform set is called “MY_TRANSFORM_SET” and it specifies that we want to use ESP with 256-bit AES encryption and SHA for authentication.

Configure CRYPTO_MAP with phase 2 parameters

Once we configured the transform set we need to configure a crypto map which has all the phase 2 parameters:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE