This Packet Tracer lab has been provided to help you gain a better understanding of Cisco ASA security appliance. Specify the configuring and troubleshooting of the ASA Site-To-Site VPN capability. The ability to configure and troubleshoot a Site-To-Site VPN using the Cisco ASA security appliance has become an essential part of a network engineer’s job as many networks today encompass multiple sites.
The inclusion of the ASA 5505 in the latest version 6.1.1 of Cisco’s Packet Tracer has allowed students studding for Cisco certification to model networks employing basic security using the ASA. The functionality of the ASA 5505 is limited in the above version of Packet Tracer due to two factors. First there is only a basic license available, this limits the DMZ capability. Second the command set is limited; there is no IP protocol available within the access-list command only TCP, UDP and ICMP. The Nat command is limited to dynamic and static which does not allow the user to separate VPN traffic from the Nat process. Additionally the show commands are limited and there is no debug command, this limits the ability to troubleshoot issues.
Before we begin our lab we need to get a better understanding of site-to site VPNs, and why do we need them? If we have two sites that are geography separated and we need to communicate between them we have two choices. First we can purchases a dedicated line between the two sites but this is very costly. Second we can use the Internet that we already have access to and employ a VPN. A site-to-site VPN is a Virtual Private Network that allow us to tunnel through the internet creating a private network connection been our two sites.
Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. Each secure connection is called a tunnel.
The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following:
- Negotiate tunnel parameters
- Establish tunnels
- Authenticate users and data
- Manage security keys
- Encrypt and decrypt data
- Manage data transfer across the tunnel
- Manage data transfer inbound and outbound as a tunnel endpoint or router
The ASA functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
Learning Objectives:
- Configure ISAKMP Policy
- Creating an IKEv1 Transform Set
- Configure an ACL for interesting traffic
- Define a Tunnel Group
- Create a Crypto Map and Apply It to an Interface
ASA SITE-TO-SITE VPN (191.1 KiB, 13,967 hits)
Packet Tracer 6.2 (54.9 MiB, 1,328 hits)
You do not have permission to download this file.
Posted in 
Tags:
Hello,
Thanks for lab, I keep getting this error though:
WARNING: crypto map has incomplete entries.
I’ve copied and pasted your config and still getting this error. Can you help?
Thanks
This is a known issue in Packet Tracer but it still work, it is only a warning.
How can we configure NAT exemption so we can still get out to the internet (freeccnalab.com webserver) and also still use the vpn? Every time I configure NAT rules, the VPN breaks because it doesn’t match the interesting traffic anymore.
Hi,
I downloaded the above site to site vpn config but do not see the configuration has any VPN specific statements.
Maybe I am missing something.Please let me know, if I am not reading it right.
Thanks,
Ashok
Hello,,
I allready configure site to site VPN with cisco ASA firewal, when I show crypto isakmp sa
Site A
Total IKE SA: 1
1 IKE Peer: 180.189.170.1
Type : L2L Role : Initiator
Rekey : no State : QM_IDLE
Site B
Total IKE SA: 1
1 IKE Peer: 180.189.160.1
Type : L2L Role : responder
Rekey : no State : QM_IDLE
and show crypto ipsec sa
Site A
ciscoasa#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr 180.189.160.1
permit ip object Local-Network object Remote-Network
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.224/0/0)
current_peer 180.189.170.1
#pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 0
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 1, #recv errors 0
local crypto endpt.: 180.189.160.1/0, remote crypto endpt.:180.189.170.1/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x70D77232(1893167666)
current inbound spi: 0x57640822(1893167666)
inbound esp sas:
spi: 0x57640822(1466173474)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2006, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4525504/3476)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x70D77232(1893167666)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4525504/3476)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
Site B
interface: outside
Crypto map tag: outside_map, seq num: 20, local addr 180.189.170.1
permit ip object Local_Network object Remote_Network
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.224/0/0)
current_peer 180.189.160.1
#pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 0
#pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors 0, #recv errors 0
local crypto endpt.: 180.189.170.1/0, remote crypto endpt.:180.189.160.1/0
path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
current outbound spi: 0x57640822(1466173474)
current inbound spi: 0x70D77232(1466173474)
inbound esp sas:
spi: 0x70D77232(1893167666)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2006, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4525504/3439)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x57640822(1466173474)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn id: 2007, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4525504/3439)
IV size: 16 bytes
replay detection support: N
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
But I Can not ping from Site A to Site B.
Any one help me about this question..???
Thanks,
Ferdinandos M. Gusmao
Hello,
Thanks for the Lab its help me a lot.
Thanks for the Lab