Verify connectivity before setting up vpn
2651-3#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
ciscoasa(config)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASA configuration step by step
Step 1: Classify the traffic which you want to protect under ipsec tunnel
ciscoasa(config)# access-list 100 permit ip any any
Step 2: Defining phase 1 (isakmp) policy.
ciscoasa(config)# crypto isakmp policy 1
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 5
ciscoasa(config-isakmp-policy)# encry aes
ciscoasa(config-isakmp-policy)# lifetime 86400
ciscoasa(config-isakmp-policy)# exit
Step 3: Decide the preshare key to be used.
ciscoasa(config)# tunnel-group 192.168.1.1 type ipsec-l2l
ciscoasa(config)# tunnel-group 192.168.1.1 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key cisco
ciscoasa(config-tunnel-ipsec)# exit
Step 4:Defining transform set for ipsec tunnel.
ciscoasa(config)# crypto ipsec transform-set myset esp-sha-hmac esp-aes
Step 5:Define crypto map for ipsec tunnel.
ciscoasa(config)# crypto map mymap 1 match address 100
ciscoasa(config)# crypto map mymap 1 set peer 192.168.1.1
ciscoasa(config)# crypto map mymap 1 set transform-set myset
Step 6:Applying crypto map on interface.
ciscoasa(config)# crypto map mymap interface inside
Step 7:Remember to enable isakmp on desired interface.
ciscoasa(config)# isakmp enable inside
Router vpn configuration step by step
Step 1:Determine the traffic that needs to be protected.
2651-3(config)#access-list 100 permit ip any any
Step 2:Define the isakmp policy.
2651-3(config)#crypto isakmp policy 1
2651-3(config-isakmp)#hash sha
2651-3(config-isakmp)#group 5
2651-3(config-isakmp)#encryption aes 128
2651-3(config-isakmp)#lifetime 86400
2651-3(config-isakmp)#authentication pre-share
2651-3(config-isakmp)#exit
Step 3:Define pre-share key for isakmp tunnel negotiation.
2651-3(config)#crypto isakmp key 0 cisco address 192.168.1.2 255.255.255.252
Step 4:Define the transform set.
2651-3(config)#crypto ipsec transform-set myset esp-sha-hmac esp-aes 128
2651-3(cfg-crypto-trans)#exit
Step 5:Defining crypto map.
2651-3(config)#crypto map mymap 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
2651-3(config-crypto-map)#match address 100
2651-3(config-crypto-map)#set peer 192.168.1.2
2651-3(config-crypto-map)#set transform-set myset
2651-3(config-crypto-map)#exit
Step 6:Apply crypto map on interface.
2651-3(config)#int fa0/1
2651-3(config-if)#crypto map mymap
2651-3(config-if)#
*Sep 19 14:39:22.695: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Test the tunnel
ciscoasa(config)# ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
ciscoasa(config)# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2651-3#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
2651-3#sh crypto sess
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 192.168.1.2 port 500
IKE SA: local 192.168.1.1/500 remote 192.168.1.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
cyruslab 