Packet Tracer lab 17 - Site to site IPSEC VPN with ASA 5505

 Last Updated: Sunday, 16 June 2019 19:51

Lab instructions
This lab will show you how to configure site-to-site IPSEC VPN using the Packet Tracer
7.2.1 ASA 5505 firewall. By default, the Cisco ASA 5505 firewall denies the traffic entering
the outside interface if no explicit ACL has been defined to allow the traffic. This default
behaviour helps protecting the enterprise network from the internet during the VPN
configuration.

Packet Tracer 7.2.1 also features the newest Cisco ASA 5506-X firewall.

In this lab, a small branch office will be securely connected to the enterprise campus over
the internet using a broadband DSL connection to demonstrate ASA 5505 site-to-site VPN
capabilities. Not dynamic routing protocol will be configured between the two sites. 

{loadposition adsense_responsive_InArticle}

 Campus addressing scheme :

 Campus IP addresses : 172.16.0.0/17

 DC : 172.16.0.0/18
 Users : 172.16.64.0/20
 DMZ : 172.16.96.0/21
 Network devices : 172.16.252.0/23
 L3 P2p links : 172.16.254.0/24
 

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

 ESP Encryption : AES-256

 AH hash algorithm : SHA
 Pre shared key : SHAREDSECRET
 

Network diagram
{loadposition adsense_responsive_InArticle} 

Lab download
Lab name : Lab 17 - Site to site IPSEC VPN with ASA 5505

Difficulty : Medium

Price : Free
 Link :

Solution
ASA configuration
Campus network - ASA 5505 IPSEC VPN headend device configuration .

Update 2018-05-09 : Corrected error in " crypto ipsec ikev1" command

interface Vlan1

nameif inside

security-level 100

ip address 172.16.254.254 255.255.255.252

interface Vlan2

nameif outside

security-level 0

ip address 134.95.56.17 255.255.255.240

object network BRANCH01_NETWORK

subnet 172.16.129.0 255.255.255.0

object network BRANCH_NETWORK

subnet 172.16.128.0 255.255.128.0

object network CAMPUS_NETWORK

subnet 172.16.0.0 255.255.128.0

object network PRIVATE_NETWORK

subnet 176.16.0.0 255.255.0.0

route outside 172.16.129.0 255.255.255.0 134.95.56.18 1

route inside 172.16.0.0 255.255.128.0 172.16.254.253 1

!

access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object

BRANCH01_NETWORK

access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object

BRANCH01_NETWORK

access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK

object PRIVATE_NETWORK

access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK

object CAMPUS_NETWORK

access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

crypto map BRANCH1 1 match address BRANCH01_TRAFFIC

crypto map BRANCH1 1 set peer 134.95.56.18

crypto map BRANCH1 1 set security-association lifetime seconds 86400

crypto map BRANCH1 1 set ikev1 transform-set L2L

crypto map BRANCH1 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 2

tunnel-group 134.95.56.18 type ipsec-l2l

tunnel-group 134.95.56.18 ipsec-attributes

ikev1 pre-shared-key SHAREDSECRET

 
The  ENTERPRISE_PRIVATE-TRAFFIC  access-group is important to allow the IP traffic through
the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the
ASA if this access-list is not configured and applied to the inside vlan interface.

Branch office n°1 - ASA 5505 remote device configuration

Update 2018-05-09 : Corrected error in " crypto ipsec ikev1" command

interface Vlan1

nameif inside

security-level 100

ip address 172.16.129.1 255.255.255.0

interface Vlan2

nameif outside

security-level 0

ip address 134.95.56.18 255.255.255.240

object network BRANCH01_NETWORK

subnet 172.16.129.0 255.255.255.0

object network BRANCH_NETWORK

subnet 172.16.128.0 255.255.128.0

object network CAMPUS_NETWORK

subnet 172.16.0.0 255.255.128.0

object network PRIVATE_NETWORK

subnet 176.16.0.0 255.255.0.0

route outside 172.16.0.0 255.255.128.0 134.95.56.17 1

access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object

CAMPUS_NETWORK

access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object

CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK
object PRIVATE_NETWORK

access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK

object BRANCH_NETWORK

access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside

crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac

crypto map BRANCH1 1 match address PRIVATE_TRAFFIC

crypto map BRANCH1 1 set peer 134.95.56.17

crypto map BRANCH1 1 set security-association lifetime seconds 86400

crypto map BRANCH1 1 set ikev1 transform-set L2L

crypto map BRANCH1 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

encr aes

authentication pre-share

group 2

tunnel-group 134.95.56.17 type ipsec-l2l

tunnel-group 134.95.56.17 ipsec-attributes

ikev1 pre-shared-key SHAREDSECRET

Check the IPSEC tunnel establishment using show

commands
Use the show crypto isakmp sa command to shows the Internet Security Association
Management Protocol (ISAKMP) security associations (SAs) which have been negociated
between the two firewalls and the show crypto ipsec sacommand to check IPSEC
security associations and monitor encrypted traffic statistics

ASA-CAMPUS-VPN#show crypto isakmp sa

IKEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 134.95.56.18

Type : L2L Role : Initiator

Rekey : no State : QM_IDLE

There are no IKEv2 SAs

ASA-CAMPUS-VPN#show crypto ipsec sa

interface: outside

Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)

remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)

current_peer 134.95.56.18

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors 0, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500

current outbound spi: 0x6386132D(1669731117)

current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2007, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x6386132D(1669731117)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2008, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

 permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK

local ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)

remote ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)

current_peer 134.95.56.18

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors 1, #recv errors 0

local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0

path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500

current outbound spi: 0x6386132D(1669731117)

current inbound spi: 0x04B729EA(1669731117)

inbound esp sas:

spi: 0x04B729EA(79112682)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2007, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x0000001F

outbound esp sas:

spi: 0x6386132D(1669731117)

transform: esp-aes 256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn id: 2008, crypto map: BRANCH1

sa timing: remaining key lifetime (k/sec): (4525504/85906)

IV size: 16 bytes

replay detection support: N

Anti replay bitmap:

0x00000000 0x00000001