ASA Site-To-Site VPN Packet Tracer Lab







This Packet Tracer lab has been provided to help you gain a better understanding of Cisco ASA security appliance. Specify the configuring and troubleshooting of the ASA Site-To-Site VPN capability.  The ability to configure and troubleshoot a Site-To-Site VPN using the Cisco ASA security appliance has become an essential part of a network engineer’s job as many networks today encompass multiple sites.

The inclusion of the ASA 5505 in the latest version 6.1.1 of Cisco’s Packet Tracer has allowed students studding for Cisco certification to model networks employing basic security using the ASA. The functionality of the ASA 5505 is limited in the above version of Packet Tracer due to two factors. First there is only a basic license available, this limits the DMZ capability. Second the command set is limited; there is no IP protocol available within the access-list command only TCP, UDP and ICMP. The Nat command is limited to dynamic and static which does not allow the user to separate VPN traffic from the Nat process. Additionally the show commands are limited and there is no debug command, this limits the ability to troubleshoot issues.

Before we begin our lab we need to get a better understanding of site-to site VPNs, and why do we need them? If we have two sites that are geography separated and we need to communicate between them we have two choices. First we can purchases a dedicated line between the two sites but this is very costly. Second we can use the Internet that we already have access to and employ a VPN. A site-to-site VPN is a Virtual Private Network that allow us to tunnel through the internet creating a private network connection been our two sites.

Tunneling makes it possible to use a public TCP/IP network, such as the Internet, to create secure connections between remote users and a private corporate network. Each secure connection is called a tunnel.

The ASA uses the ISAKMP and IPsec tunneling standards to build and manage tunnels. ISAKMP and IPsec accomplish the following:

  • Negotiate tunnel parameters
  • Establish tunnels
  • Authenticate users and data
  • Manage security keys
  • Encrypt and decrypt data
  • Manage data transfer across the tunnel
  • Manage data transfer inbound and outbound as a tunnel endpoint or router

The ASA functions as a bidirectional tunnel endpoint. It can receive plain packets from the private network, encapsulate them, create a tunnel, and send them to the other end of the tunnel where they are unencapsulated and sent to their final destination. It can also receive encapsulated packets from the public network, unencapsulate them, and send them to their final destination on the private network.

Learning Objectives:

  • Configure ISAKMP Policy
  • Creating an IKEv1 Transform Set
  • Configure an ACL for interesting traffic
  • Define a Tunnel Group
  • Create a Crypto Map and Apply It to an Interface

  ASA SITE-TO-SITE VPN (191.1 KiB, 13,967 hits)

  Packet Tracer 6.2 (54.9 MiB, 1,328 hits)
You do not have permission to download this file.

If you have found this lab helpful please help us keep this site running.

 

You can leave a response, or trackback from your own site.

7 Responses to “ASA Site-To-Site VPN Packet Tracer Lab”

  1. Fabian says:

    Hello,

    Thanks for lab, I keep getting this error though:

    WARNING: crypto map has incomplete entries.
    I’ve copied and pasted your config and still getting this error. Can you help?

    Thanks

  2. loza10 says:

    How can we configure NAT exemption so we can still get out to the internet (freeccnalab.com webserver) and also still use the vpn? Every time I configure NAT rules, the VPN breaks because it doesn’t match the interesting traffic anymore.

  3. ctusa2003am says:

    Hi,
    I downloaded the above site to site vpn config but do not see the configuration has any VPN specific statements.
    Maybe I am missing something.Please let me know, if I am not reading it right.
    Thanks,
    Ashok

  4. gusmaof says:

    Hello,,

    I allready configure site to site VPN with cisco ASA firewal, when I show crypto isakmp sa

    Site A

    Total IKE SA: 1
    1 IKE Peer: 180.189.170.1
    Type : L2L Role : Initiator
    Rekey : no State : QM_IDLE

    Site B

    Total IKE SA: 1
    1 IKE Peer: 180.189.160.1
    Type : L2L Role : responder
    Rekey : no State : QM_IDLE

    and show crypto ipsec sa

    Site A

    ciscoasa#show crypto ipsec sa

    interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr 180.189.160.1

    permit ip object Local-Network object Remote-Network
    local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.224/0/0)
    remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.224/0/0)
    current_peer 180.189.170.1
    #pkts encaps: 11, #pkts encrypt: 11, #pkts digest: 0
    #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors 1, #recv errors 0

    local crypto endpt.: 180.189.160.1/0, remote crypto endpt.:180.189.170.1/0
    path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
    current outbound spi: 0x70D77232(1893167666)
    current inbound spi: 0x57640822(1893167666)

    inbound esp sas:
    spi: 0x57640822(1466173474)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn id: 2006, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4525504/3476)
    IV size: 16 bytes
    replay detection support: N
    Anti replay bitmap:
    0x00000000 0x0000001F
    outbound esp sas:
    spi: 0x70D77232(1893167666)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn id: 2007, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4525504/3476)
    IV size: 16 bytes
    replay detection support: N
    Anti replay bitmap:
    0x00000000 0x00000001

    ciscoasa#

    Site B

    interface: outside
    Crypto map tag: outside_map, seq num: 20, local addr 180.189.170.1

    permit ip object Local_Network object Remote_Network
    local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.224/0/0)
    remote ident (addr/mask/prot/port): (172.16.10.0/255.255.255.224/0/0)
    current_peer 180.189.160.1
    #pkts encaps: 12, #pkts encrypt: 12, #pkts digest: 0
    #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
    #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 180.189.170.1/0, remote crypto endpt.:180.189.160.1/0
    path mtu 1500, ip mtu, ipsec overhead 78, media mtu 1500
    current outbound spi: 0x57640822(1466173474)
    current inbound spi: 0x70D77232(1466173474)

    inbound esp sas:
    spi: 0x70D77232(1893167666)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn id: 2006, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4525504/3439)
    IV size: 16 bytes
    replay detection support: N
    Anti replay bitmap:
    0x00000000 0x0000001F
    outbound esp sas:
    spi: 0x57640822(1466173474)
    transform: esp-3des esp-md5-hmac no compression
    in use settings ={L2L, Tunnel, }
    slot: 0, conn id: 2007, crypto map: outside_map
    sa timing: remaining key lifetime (k/sec): (4525504/3439)
    IV size: 16 bytes
    replay detection support: N
    Anti replay bitmap:
    0x00000000 0x00000001

    ciscoasa#

    But I Can not ping from Site A to Site B.

    Any one help me about this question..???

    Thanks,
    Ferdinandos M. Gusmao

  5. dialloniger says:

    Hello,
    Thanks for the Lab its help me a lot.

  6. dialloniger says:

    Thanks for the Lab

Leave a Reply

What is 10 + 10 ?
Please leave these two fields as-is:
IMPORTANT! To be able to proceed, you need to solve the following simple math (so we know that you are a human) :-)

*

Powered by WordPress | Designed by: backlinks | Thanks to internet marketing, etiketten drucken and index backlink