Create a Site-to-Site VPN Tunnel Between Secure Firewall ASA

Use the following procedure to create a site-to-site VPN tunnel between two ASAs or an ASA with an Extranet device:

Procedure


Step 1

In the left pane, click Secure Connections > Site to Site VPN > ASA & FDM.

Step 2

Click the Create Tunnel () icon and then click Site-to-Site VPN.

Step 3

Step 4

In the Peer Selection area, provide the following information:

  • Configuration Name: Enter a unique topology name.

  • Peer 1: Click the ASA tab and select a Secure Firewall ASA device.

  • Peer 2: Click the ASA tab and select a Secure Firewall ASAdevice.

    If you choose an extranet device, select Static and specify an IP address or select Dynamic for extranet devices with DHCP assigned IP. The IP Address displays the IP address for static interface or DHCP Assigned for the dynamic interface.

Step 5

Click Next.

Step 6

In the Peer Details area, provide the following information:

  • Select one of the options to create a new Policy Based or Route Based site-to-site VPN.

  • VPN Access Interface: Select the interface for both peer 1 and peer 2 to establish a connection between them.

  • (Applicable to Route Based) LAN Interfaces: Select the interface for both peer 1 and peer 2 that controls the LAN subnet. You can select multiple interfaces

  • Routing: Click Add Networks and select one or more protected networks for peer 1 and peer 2 to establish a site-to-site tunnel between between them.

  • (Applicable to Policy Based) NAT Exempt: Select to exempt the VPN traffic from NAT policies on the local VPN access interface. It must be configured manually for individual peers. If you do not want NAT rules to apply to the local network, select the interface that hosts the local network. This option works only if the local network resides behind a single routed interface (not a bridge group member). If the local network is behind more than one routed interface or one or more bridge group members, you must manually create the NAT exempt rules. For information on manually creating the required rules, see Exempt ASA Site-to-Site VPN Traffic from NAT.

Step 7

Click Next.

Step 8

(Applicable to Route Based) In the Tunnel Details, the VTI Address fields are automatically filled once the peer devices are configured in the previous step. If necessary, you can manually enter an IP address that will be used as the new VTI.

Step 9

In the IKE Settings area, choose the IKE versions to use during Internet Key Exchange (IKE) negotiations and specify the privacy configurations: For more information on the IKE policies, see About Global IKE Policies.

Note

IKE policies are global to a device and apply to all VPN tunnels associated with it. Therefore, adding or deleting policies affect all VPN tunnels in which this device is participating.

  1. Select either or both options as appropriate.

    Note

    By default, IKEV Version 2 is enabled.

  2. Click Add IKEv2 Policies to select the IKEv2 policies for peer 1 and peer 2.

  3. The Local Pre-Shared Key and Remote Pre-Shared Key for the participating devices are auto-genreated. Preshared keys are secret key strings configured on each peer in the connection. These keys are used by IKE during the authentication phase.

  4. Click IKE Version 1 to enable it.

  5. Click Add IKEv1 Policies to select the IKEv1 policies for peer 1 and peer 2.

  6. The IPEv1 Pre-Shared Key is auto-generated.

Step 10

Click Next.

Step 11

In the IPSec Settings area, specify the IPSec configurations for peer 1 and peer 2. The corresponding IKEV proposals are available depending on the selection that is made in the IKE Settings step.

For more information on the IPSec settings, see the About Global IKE Policies.

  1. Click Add IKEv2 IPSec Proposals and select the IKEv2 proposals you want for peer 1 and peer 2.

  2. Choose the Diffie-Hellman Group for Perfect Forward Secrecy. For more information, see Encryption and Hash Algorithms Used in VPN.

Step 12

In the Finish area, review the configuration and continue further only if you’re satisfied with the configuration.

By default, the Deploy changes to ASA immediately check box is checked to deploy the configurations immediately to the ASA device after clicking Submit.

If you want to review and deploy the configurations manually later, then uncheck this check box.


You are directed to the VPN Tunnels page that shows the newly configured site-to-site VPN tunnel. The changes are staged and must be deployed manually. A routing policy is created to route the VTI traffic automatically between the devices over the VTI tunnel. To see this policy, select the device from the Security Devices page and choose Configuration > Diff.