This Packet Tracer lab has been provided to help you gain a better understanding of Cisco ASA security appliance. Specify the configuring and troubleshooting of the ASA Site-To-Site VPN capability. The ability to configure and troubleshoot a Site-To-Site VPN using the Cisco ASA security appliance has become an essential part of a network engineer’s job as many networks today encompass multiple sites.
The inclusion of the ASA 5505 in the latest version 6.1.1 of Cisco’s Packet Tracer has allowed students studding for Cisco certification to model networks employing basic security using the ASA. The functionality of the ASA 5505 is limited in the above version of Packet Tracer due to two factors. First there is only a basic license available, this limits the DMZ capability. Second the command set is limited; there is no IP protocol available within the access-list command only TCP, UDP and ICMP. The Nat command is limited to dynamic and static which does not allow the user to separate VPN traffic from the Nat process. Additionally the show commands are limited and there is no debug command, this limits the ability to troubleshoot issues.
Before we begin our lab we need to get a better understanding of site-to site VPNs, and why do we need them? If we have two sites that are geography separated and we need to communicate between them we have two choices. First we can purchases a dedicated line between the two sites but this is very costly. Second we can use the Internet that we already have access to and employ a VPN. A site-to-site VPN is a Virtual Private Network that allow us to tunnel through the internet creating a private network connection been our two sites.
Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. Each secure connection is called a tunnel.
The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following:
- Negotiate tunnel parameters
- Establish tunnels
- Authenticate users and data
- Manage security keys
- Encrypt and decrypt data
- Manage data transfer across the tunnel
- Manage data transfer inbound and outbound as a tunnel endpoint or router
The ASA functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.
- Configure ISAKMP Policy
- Creating an IKEv1 Transform Set
- Configure an ACL for interesting traffic
- Define a Tunnel Group
- Create a Crypto Map and Apply It to an Interface
ASA SITE-TO-SITE VPN (191.1 KiB, 7,994 hits)
Packet Tracer 6.2 (54.9 MiB, 1,159 hits)
You do not have permission to download this file.