C H A P T E R

Scenario: Site-to-Site VPN Configuration

This chapter describes how to use the security appliance to create a site-to-site VPN. Site-to-site VPN features provided by the security appliance enable businesses to extend their networks across low-cost public Internet connections to business partners and remote offices worldwide while maintaining their network security. A VPN connection enables you to send data from one location to another over a secure connection, or tunnel, first by authenticating both ends of the connection, and then by automatically encrypting all data sent between the two sites. This chapter includes the following sections:

Example Site-to-Site VPN Network Topology, page 4-1 Implementing the Site-to-Site Scenario, page 4-2 Configuring the Other Side of the VPN Connection, page 4-13 What to Do Next, page 4-13

Example Site-to-Site VPN Network Topology

Figure 4-1 shows an example VPN tunnel between two security appliances.

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-1

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Figure 4-1

Network Layout for Site-to-Site VPN Configuration Scenario

Site A Security Appliance 1 Inside 10.10.10.0 Outside 209.165.200.226 Internet Security Appliance 2 Outside 209.165.200.236 Inside 10.20.20.0

Site B

Creating a VPN site-to-site deployment such as the one in Figure 4-1 requires you to configure two security appliances, one on each side of the connection.

Implementing the Site-to-Site Scenario

This section describes how to configure the security appliance in a site-to-site VPN deployment, using example parameters from the remote-access scenario shown in Figure 4-1. This section includes the following sections:

Information to Have Available, page 4-2 Configuring the Site-to-Site VPN, page 4-3

Information to Have Available

Before you begin the configuration procedure, gather the following information:

IP address of the remote security appliance peer IP addresses of local hosts and networks permitted to use the tunnel to communicate with resources on the remote site IP addresses of remote hosts and networks permitted to use the tunnel to communicate with local resources

PIX 515E Security Appliance Getting Started Guide

4-2

78-17645-01

132066

Chapter 4

Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario

Configuring the Site-to-Site VPN

This section describes how to use the ASDM VPN Wizard to configure the security appliance for a site-to-site VPN. This section includes the following topics:

Starting ASDM, page 4-3 Configuring the Security Appliance at the Local Site, page 4-4 Providing Information About the Remote VPN Peer, page 4-6 Configuring the IKE Policy, page 4-7 Configuring IPsec Encryption and Authentication Parameters, page 4-9 Specifying Hosts and Networks, page 4-10 Viewing VPN Attributes and Completing the Wizard, page 4-11

The following sections provide detailed instructions for how to perform each configuration step.

Starting ASDM
To run ASDM in a web browser, enter the factory default IP address in the address field: https://192.168.1.1/admin/.

Note

Remember to add the s in https or the connection fails. HTTPS (HTTP over SSL) provides a secure connection between your browser and the security appliance.

The Main ASDM window appears.

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-3

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Configuring the Security Appliance at the Local Site

Note

The security appliance at the first site is referred to as Security Appliance 1 from this point forward. To configure the Security Appliance 1, perform the following steps:

Step 1

In the main ASDM window, choose the VPN Wizard option from the Wizards drop-down menu. ASDM opens the first VPN Wizard screen.

PIX 515E Security Appliance Getting Started Guide

4-4

78-17645-01

Chapter 4

Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario

In Step 1 of the VPN Wizard, perform the following steps:

a.

Click the Site-to-Site VPN radio button.

Note

The Site-to-Site VPN option connects two IPsec security gateways, which can include security appliances, VPN concentrators, or other devices that support site-to-site IPsec connectivity.

b.

From the drop-down list, choose Outside as the enabled interface for the current VPN tunnel.

c.

Click Next to continue.

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-5

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Providing Information About the Remote VPN Peer

The VPN peer is the system on the other end of the connection that you are configuring, usually at a remote site.

Note

In this scenario, the remote VPN peer is referred to as Security Appliance 2 from this point forward. In Step 2 of the VPN Wizard, perform the following steps:

Step 1 Step 2

Enter the Peer IP Address (the IP address of Security Appliance 2, in this scenario 209.165.200.236) and a Tunnel Group Name (for example Cisco). Specify the type of authentication that you want to use by performing one of the following steps:

To use a static preshared key for authentication, click the Pre-Shared Key radio button and enter a preshared key (for example, Cisco). This key is used for IPsec negotiations between the security appliances.

Note

When you configure Security Appliance 2 at the remote site, the VPN peer is Security Appliance 1. Be sure to enter the same preshared key (Cisco) that you use here.

Click the Challenge/Response Authentication radio button to use that method of authentication. To use digital certificates for authentication, click the Certificate radio button, choose the Certificate Signing Algorithm from the drop-down list, and then choose a preconfigured trustpoint name from the drop-down list. If you want to use digital certificates for authentication but have not yet configured a trustpoint name, you can continue with the Wizard by using one of the other two options. You can revise the authentication configuration later using the standard ASDM screens.

PIX 515E Security Appliance Getting Started Guide

4-6

78-17645-01

Chapter 4

Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario

Step 3

Click Next to continue.

Configuring the IKE Policy

IKE is a negotiation protocol that includes an encryption method to protect data and ensure privacy; it is also an authentication method to ensure the identity of the peers. In most cases, the ASDM default values are sufficient to establish secure VPN tunnels between two peers. In Step 3 of the VPN Wizard, perform the following steps:
Step 1

Click the Encryption (DES/3DES/AES), authentication algorithms (MD5/SHA), and the Diffie-Hellman group (1/2/5) used by the security appliance during an IKE security association.
PIX 515E Security Appliance Getting Started Guide

78-17645-01

4-7

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Note

When configuring Security Appliance 2, enter the exact values for each of the options that you chose for Security Appliance 1. Encryption mismatches are a common cause of VPN tunnel failures and can slow down the process.

Step 2

Click Next to continue.

PIX 515E Security Appliance Getting Started Guide

4-8

78-17645-01

Chapter 4

Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario

Configuring IPsec Encryption and Authentication Parameters

In Step 4 of the VPN Wizard, perform the following steps:
Step 1

Choose the Encryption algorithm (DES/3DES/AES) and authentication algorithm (MD5/SHA) from the drop-down lists.

Step 2

Click Next to continue.

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-9

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Specifying Hosts and Networks

Identify hosts and networks at the local site that are permitted to use this IPsec tunnel to communicate with the remote-site peer. Add or remove hosts and networks dynamically by clicking Add or Delete, respectively. In the current scenario, traffic from Network A (10.10.10.0) is encrypted by Security Appliance 1 and transmitted through the VPN tunnel. In addition, identify hosts and networks at the remote site to be allowed to use this IPsec tunnel to access local hosts and networks. Add or remove hosts and networks dynamically by clicking Add or Delete respectively. In this scenario, for Security Appliance 1, the remote network is Network B (10.20.20.0), so traffic encrypted from this network is permitted through the tunnel. In Step 5 of the VPN Wizard, perform the following steps:
Step 1 Step 2 Step 3 Step 4

In the Source area, choose IP Address from the Type drop-down list. Enter the local IP address and netmask in the IP Address and Netmask fields. In the Destination area, choose IP Address from the Type drop-down list. Enter the IP address and Netmask for the remote host or network.

PIX 515E Security Appliance Getting Started Guide

4-10

78-17645-01

Chapter 4

Scenario: Site-to-Site VPN Configuration Implementing the Site-to-Site Scenario

Step 5

Click Next to continue.

Viewing VPN Attributes and Completing the Wizard

In Step 6 of the VPN Wizard, review the configuration list for the VPN tunnel you just created. If you are satisfied with the configuration, click Finish to apply the changes to the security appliance.

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-11

Chapter 4 Implementing the Site-to-Site Scenario

Scenario: Site-to-Site VPN Configuration

Step 6

If you want the configuration changes to be saved to the startup configuration so that they are applied the next time the device starts, from the File menu, click Save. Alternatively, ASDM prompts you to save the configuration changes permanently when you exit ASDM. If you do not save the configuration changes, the old configuration takes effect the next time the device starts.

This concludes the configuration process for Security Appliance 1.

PIX 515E Security Appliance Getting Started Guide

4-12

78-17645-01

Chapter 4

Scenario: Site-to-Site VPN Configuration Configuring the Other Side of the VPN Connection

Configuring the Other Side of the VPN Connection

You have just configured the local security appliance. Now you need to configure the security appliance at the remote site. At the remote site, configure the second security appliance to serve as a VPN peer. Use the procedure you used to configure the local security appliance, starting with the Configuring the Security Appliance at the Local Site section on page 4-4 and finishing with the Viewing VPN Attributes and Completing the Wizard section on page 4-11.

Note

When configuring Security Appliance 2, enter the exact same values for each of the options that you selected for Security Appliance 1. Mismatches are a common cause of VPN configuration failures.

What to Do Next
If you are deploying the security appliance solely in a site-to-site VPN environment, you have completed the initial configuration. In addition, you may want to consider performing some of the following steps: To Do This ... Refine configuration and configure optional and advanced features Learn about daily operations See ... Cisco Security Appliance Command Line Configuration Guide Cisco Security Appliance Command Reference Cisco Security Appliance Logging Configuration and System Log Messages

PIX 515E Security Appliance Getting Started Guide 78-17645-01

4-13

Chapter 4 What to Do Next

Scenario: Site-to-Site VPN Configuration

You can configure the security appliance for more than one application. The following sections provide configuration procedures for other common applications of the security appliance. To Do This ... Configure the security appliance to protect a web server in a DMZ Configure a remote-access VPN See ... Chapter 2, Scenario: DMZ Configuration Chapter 3, Scenario: IPsec Remote-Access VPN Configuration

PIX 515E Security Appliance Getting Started Guide

4-14

78-17645-01