Packet Tracer lab 17 - Site to site IPSEC VPN with ASA 5505

: Last Updated: 09 December 2023

Lab instructions

This lab will show you how to configure site-to-site IPSEC VPN using the Packet Tracer 8.2 ASA 5505 firewall. By default, the Cisco ASA 5505 firewall denies the traffic entering the outside interface if no explicit ACL has been defined to allow the traffic. This default behaviour helps protecting the enterprise network from the internet during the VPN configuration.

Packet Tracer 8.2 also features the newest Cisco ASA 5506-X firewall.

In this lab, a small branch office will be securely connected to the enterprise campus over the internet using a broadband DSL connection to demonstrate ASA 5505 site-to-site VPN capabilities. Not dynamic routing protocol will be configured between the two sites.

Campus addressing scheme :

Campus IP addresses : 172.16.0.0/17
DC : 172.16.0.0/18
Users : 172.16.64.0/20
DMZ : 172.16.96.0/21
Network devices : 172.16.252.0/23
L3 P2p links : 172.16.254.0/24

Branch office 1 IP subnet : 172.16.129.0/24

Enterprise internet IP addresses : 134.95.56.16/28

IPSEC VPN configuration to apply :

ESP Encryption : AES-256
AH hash algorithm : SHA
Pre shared key : SHAREDSECRET

Network diagram

Packet Tracer 7.1 lab 17 - ASA 5505 site to site IPSEC VPN network diagram

Lab download

Lab name :	Lab 17 - Site to site IPSEC VPN with ASA 5505
Difficulty :	Medium
Price :	Free
Link :

Solution

ASA configuration

Campus network - ASA 5505 IPSEC VPN headend device configuration .

Update 2018-05-09 : Corrected error in "crypto ipsec ikev1" command

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.254.254 255.255.255.252
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 134.95.56.17 255.255.255.240
!
object network BRANCH01_NETWORK
 subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
 subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
 subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
 subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.129.0 255.255.255.0 134.95.56.18 1
route inside 172.16.0.0 255.255.128.0 172.16.254.253 1
!
access-list BRANCH01_TRAFFIC extended permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list BRANCH01_TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object BRANCH_NETWORK object CAMPUS_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map BRANCH1 1 match address BRANCH01_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.18
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 134.95.56.18 type ipsec-l2l
tunnel-group 134.95.56.18 ipsec-attributes
 ikev1 pre-shared-key SHAREDSECRET
!

The ENTERPRISE_PRIVATE-TRAFFIC access-group is important to allow the IP traffic through the firewall from remote subnets to the inside subnets. The traffic wiill be blocked by the ASA if this access-list is not configured and applied to the inside vlan interface.

Branch office n°1 - ASA 5505 remote device configuration

Update 2018-05-09 : Corrected error in "crypto ipsec ikev1" command

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.129.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 134.95.56.18 255.255.255.240
!
object network BRANCH01_NETWORK
 subnet 172.16.129.0 255.255.255.0
object network BRANCH_NETWORK
 subnet 172.16.128.0 255.255.128.0
object network CAMPUS_NETWORK
 subnet 172.16.0.0 255.255.128.0
object network PRIVATE_NETWORK
 subnet 176.16.0.0 255.255.0.0
!
route outside 172.16.0.0 255.255.128.0 134.95.56.17 1
!
access-list PRIVATE_TRAFFIC extended permit tcp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list PRIVATE_TRAFFIC extended permit icmp object BRANCH01_NETWORK object CAMPUS_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit tcp object PRIVATE_NETWORK object PRIVATE_NETWORK
access-list ENTERPRISE_PRIVATE-TRAFFIC extended permit icmp object CAMPUS_NETWORK object BRANCH_NETWORK
!
!
access-group ENTERPRISE_PRIVATE-TRAFFIC out interface inside
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map BRANCH1 1 match address PRIVATE_TRAFFIC
crypto map BRANCH1 1 set peer 134.95.56.17
crypto map BRANCH1 1 set security-association lifetime seconds 86400
crypto map BRANCH1 1 set ikev1 transform-set L2L
crypto map BRANCH1 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 134.95.56.17 type ipsec-l2l
tunnel-group 134.95.56.17 ipsec-attributes
 ikev1 pre-shared-key SHAREDSECRET
!

Check the IPSEC tunnel establishment using show commands

Use the show crypto isakmp sa command to shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) which have been negociated between the two firewalls and the show crypto ipsec sa command to check IPSEC security associations and monitor encrypted traffic statistics


ASA-CAMPUS-VPN#show crypto isakmp sa 

IKEv1 SAs:

  Active SA: 1
  Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1
1   IKE Peer: 134.95.56.18
    Type    : L2L             Role    : Initiator
    Rekey   : no              State   : QM_IDLE

There are no IKEv2 SAs

 

ASA-CAMPUS-VPN#show crypto ipsec sa

interface: outside
    Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

      permit tcp object CAMPUS_NETWORK object BRANCH01_NETWORK
      local  ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/6/0)
      remote  ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/6/0)
      current_peer 134.95.56.18
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors 0, #recv errors 0

      local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
      path mtu 1500, ip mtu, ipsec overhead 78,  media mtu 1500
      current outbound spi: 0x6386132D(1669731117)
      current inbound spi: 0x04B729EA(1669731117)

     inbound esp sas:
      spi: 0x04B729EA(79112682)
         transform: esp-aes 256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn id: 2007, crypto map: BRANCH1
         sa timing: remaining key lifetime (k/sec): (4525504/85906)
         IV size: 16 bytes
         replay detection support: N
         Anti replay bitmap:
          0x00000000 0x0000001F
     outbound esp sas:
      spi: 0x6386132D(1669731117)
         transform: esp-aes 256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn id: 2008, crypto map: BRANCH1
         sa timing: remaining key lifetime (k/sec): (4525504/85906)
         IV size: 16 bytes
         replay detection support: N
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: BRANCH1, seq num: 1, local addr 134.95.56.17

      permit icmp object CAMPUS_NETWORK object BRANCH01_NETWORK
      local  ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/1/0)
      remote  ident (addr/mask/prot/port): (172.16.129.0/255.255.255.0/1/0)
      current_peer 134.95.56.18
      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors 1, #recv errors 0

      local crypto endpt.: 134.95.56.17/0, remote crypto endpt.:134.95.56.18/0
      path mtu 1500, ip mtu, ipsec overhead 78,  media mtu 1500
      current outbound spi: 0x6386132D(1669731117)
      current inbound spi: 0x04B729EA(1669731117)

     inbound esp sas:
      spi: 0x04B729EA(79112682)
         transform: esp-aes 256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn id: 2007, crypto map: BRANCH1
         sa timing: remaining key lifetime (k/sec): (4525504/85906)
         IV size: 16 bytes
         replay detection support: N
         Anti replay bitmap:
          0x00000000 0x0000001F
     outbound esp sas:
      spi: 0x6386132D(1669731117)
         transform: esp-aes 256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn id: 2008, crypto map: BRANCH1
         sa timing: remaining key lifetime (k/sec): (4525504/85906)
         IV size: 16 bytes
         replay detection support: N
         Anti replay bitmap:
          0x00000000 0x00000001

Packet Tracer lab 17 - Site to site IPSEC VPN with ASA 5505

Lab instructions

Read next :

Lab 4 - Port security

Download Cisco Packet Tracer 8.2.2 & GNS3

Cisco Packet Tracer 8.2.2 labs

Lab 16 - Clientless SSL VPN (WebVPN) with ASA 5505

Lab 18 - DMZ configuration with ASA 5506-X

Network diagram

Lab download

Solution

ASA configuration

Check the IPSEC tunnel establishment using show commands