Step 1: Configure Phase 1 and Phase 2 In ASA of both sides
Phase 1: IKE policy
In Phase 1, single bi-directional SA (Security Association) is created between VPN peers and is a control channel for Phase-1 keepalives, DH-Key Calculation and Phase-2 SA creation and rekey.
ciscoasa(config)# crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)# encryption 3des
ciscoasa(config-ikev1-policy)# hash sha
ciscoasa(config-ikev1-policy)# group 2
ciscoasa(config-ikev1-policy)# lifetime 86400ciscoasa(config)# crypto ikev1 enable outside
Use this command to view the phase 1 policies configured in Cisco ASA firewall.
ciscoasa#show run crypto isakmp
Phase 2: IPSec proposal
Two unidirectional Security Associations are created for each pair of security identities, which encrypt or decrypt traffic.
ciscoasa(config)# crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
Use this command to view the phase 2 policies configured in Cisco ASA firewall.
ciscoasa# show run crypto ipsec
$2.75 per monthStep 2: Configure In ASA of India network
Network Objects and ACL
ciscoasa(config)# object-group network india_network
ciscoasa(config-network-object)# network-object 10.10.10.0 255.255.255.0ciscoasa(config)# object-group network singapore_network
ciscoasa(config-network-object)# network-object 192.168.1.0 255.255.255.0ciscoasa(config)# nat (inside,outside) source static india_network india_network destination static singapore_network singapore_network
ciscoasa(config)# access-list ind_sin_acl extended permit ip object-group india_network object-group singapore_network
Cryptomap
ciscoasa(config)# crypto map outside_map 5 match address ind_sin_acl
ciscoasa(config)# crypto map outside_map 5 set peer 2.2.2.2
ciscoasa(config)# crypto map outside_map 5 set ikev1 transform-set ESP-3DES-MD5ciscoasa(config)# crypto map outside_map interface outside
Optional
When pfs is enabled, default is group2.
ciscoasa(config)# crypto map outside_map 5 set pfs group2
Defaults
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
Use this command to view the crypto map configured in Cisco ASA firewall.
ciscoasa# show run crypto map
Group Policy and Tunnel Interface
Create a Group policy for ikev1 vpn protocol and assign to tunnel interface.
ciscoasa(config)# group-policy GrpPolicy-2.2.2.2 internal
ciscoasa(config)# group-policy GrpPolicy-2.2.2.2 attributes
ciscoasa(config)# vpn-tunnel-protocol ikev1ciscoasa(config)# tunnel-group 2.2.2.2 type ipsec-l2l
ciscoasa(config)# tunnel-group 2.2.2.2 ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key cisco
ciscoasa(config)# tunnel-group 2.2.2.2 general-attributes
ciscoasa(config)# default-group-policy GrpPolicy-2.2.2.2
Use this command to view the group policy and tunnel interfaces configured in Cisco ASA firewall.
ciscoasa# show run all group-policy GrpPolicy-2.2.2.2
ciscoasa# show run all tunnel-group 2.2.2.2
Step 3: In ASA of Singapore network
object-group network india_network
network-object 10.10.10.0 255.255.255.0object-group network singapore_network
network-object 192.168.1.0 255.255.255.0nat (inside,outside) source static singapore_network singapore_network destination static india_network india_network
access-list sin_ind_acl extended permit ip object-group singapore_network object-group india_networkcrypto map outside_map 1 match address ind_sin_acl
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map outside_map interface outsidegroup-policy GrpPolicy-1.1.1.1 internal
group-policy GrpPolicy-1.1.1.1 attributes
vpn-tunnel-protocol ikev1tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key cisco
tunnel-group 1.1.1.1 general-attributes
default-group-policy GrpPolicy-1.1.1.1
