CCIE Security: Site-to-Site ASA VPN

In this post, I'll be configuring site-to-site VPN with ASA as peers. This post won't be a very long one because the configuration is almost identical to configuring it on a router using crypto maps with some slight syntax changes. 

When you are building the site-to-site VPN configuration, remember what is needed for each phase.

Phase 1

This is where the bidirectional ISAKMP channel is created for negotiation. The first thing you should create is the policy. A policy should contain the following at the very least:

  • Authentication method
  • Encryption algorithm
  • Hash algorithm 
  • Diffie-Hellman group


We define these in a crypto ISAKMP policy like below:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 1800

Next, we will want to specify the ISAKMP peer and the key to use to establish that ISAKMP tunnel:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev1 pre-shared-key cisco123

At this point, you've completed the basic configuration needed for Phase 1.

Let's move onto the Phase 2.


Phase 2

The purpose of this phase is to establish the two unidirectional channels between the peers (IPSec SAs) so data can be sent securely. In order for these channels to be established, the following is required:

  1. Encryption algorithm
  2. Hash algorithm
  3. Define what the "interesting" traffic is which should be encrypted (Proxy ID)
  4. Define who the peer is 
  5. Apply the crypto to an interface


To define the first two requirements, you would create an IPSec transform set where you would define your encryption and hash algorithms:

cyrpto ipsec ikev1 transform-set <tset-name> esp-aes esp-sha-hmac

We can also configure the IPSec security association lifetime at this point

crypto ipsec security-association lifetime seconds 1800



For the next requirement, we will define the interesting traffic in an access-list. This is basically what traffic should be encrypted and passed through the VPN. You would specify the local subnet and the remote subnet.

access-list 101 permit ip


We will then tie together all of the requirements 1 through 4 in something called a crypto map which will then be applied to an interface. Then enable IKEv1 on the interface the crypto map will be applied on.

crypto map <map-name> <num> set ikev1 transform-set <tset-name>
crypto map <map-name> <num> set peer <peer-ip>
crypto map <map-name> <num> match address 101
crypto ikev1 enable <interface-nameif>

Finally, we will the crypto map which ties together all the elements in our IPSec configuration and apply that to an interface

crypto map <map-name> interface <interface-nameif>


At this point, we'll want to verify that the VPN is working. If there isn't traffic going over the tunnel, you're not going to initially see anything. If you issue a show crypto ipsec sa or show crypto isakmp sa, you will initially see nothing in the output:

To establish the VPN, we're initiate traffic from one side of the tunnel to the other. It should come up after the first ping. If you issue the above show commands again, you'll see the IPSec and ISAKMP SAs.

The debug commands on the ASA have a slightly different syntax than IOS. The two debugs you will usually find yourself using are debug crypto ikev1 <debug level> and debug crypto ipsec <debug level>. Since the IPSec process is the same under the hood, you'd still be troubleshooting Main Mode and Quick Mode messages and looking for the same things regardless of the syntax.