When deploying site-to-site or remote access VPNs, Cisco offers different approaches depending on whether you are using an ASA firewall or an IOS router. While both platforms leverage ISAKMP/IKEv1 and IPSec for secure tunneling, their configuration methods differ significantly. This post outlines key distinctions, provides detailed examples, and offers best practices for each.
ASA Configuration Overview
Cisco ASA supports both remote access and site-to-site VPNs. Configuration typically begins with defining the ISAKMP profile using crypto ikev1 policy. This policy sets encryption parameters, authentication methods (such as pre-shared keys or certificates), and Diffie-Hellman groups.
The tunnel is anchored to an IP address via the tunnel-group configuration, which specifies the type (ipsec-l2l for LAN-to-LAN) and attributes like the ikev1 pre-shared-key. An IPSec transform set is then created using crypto ipsec ikev1 transform-set, defining the encryption and integrity algorithms. Notably, access control is implemented via a crypto ACL, where ASA uses regular subnet masks (unlike IOS, which uses wildcard masks).
The VPN connection is bound to a crypto map. This includes setting the peer IP, referencing the transform set and ACL, and then applying it to an interface with:
crypto map CMAP interface outside
However, unlike IOS, ASA does not automatically activate the crypto map once applied to an interface. You must explicitly enable ISAKMP with:
crypto ikev1 enable outside
Deeper Dive into ASA Configuration
A practical example might include:
crypto ikev1 policy 10 encr 3des hash md5 authentication pre-share group 2
Followed by:
tunnel-group 203.0.113.1 type ipsec-l2l tunnel-group 203.0.113.1 ipsec-attributes ikev1 pre-shared-key cisco123
Then:
crypto ipsec ikev1 transform-set TS esp-3des esp-md5-hmac access-list CRYPTO-ACL permit ip 10.10.9.0 255.255.255.0 10.11.11.0 255.255.255.0
And the crypto map setup:
crypto map CMAP 10 set peer 203.0.113.1 crypto map CMAP 10 set ikev1 transform-set TS crypto map CMAP 10 match address CRYPTO-ACL crypto map CMAP interface outside crypto ikev1 enable outside
NAT Exemptions (Manual NAT)
When using NAT or PAT, VPN traffic must be exempted to avoid disruption. This is done with Manual NAT:
object network LAN1 subnet 10.10.9.0 255.255.255.0 exit object network LAN2 subnet 10.11.11.0 255.255.255.0 exit nat (inside,outside) source static LAN1 LAN1 destination LAN2 LAN2
This ensures encrypted traffic bypasses NAT.
IOS Configuration Overview
On Cisco IOS routers, VPNs also use crypto maps, but the configuration tends to be more flexible and arguably more complex than on ASA. You start by defining an ISAKMP policy:
crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2
Set the pre-shared key per peer:
crypto isakmp key cisco123 address 192.0.2.1
Access lists differ here by using wildcard masks, as shown:
access-list 150 permit ip 10.11.11.0 0.0.0.255 10.10.9.0 0.0.0.255
Next, you define the transform set and bind everything into a crypto map:
crypto ipsec transform-set ASATS esp-3des esp-md5-hmac crypto map CAMP 10 ipsec-isakmp set peer 192.0.2.1 set transform-set ASATS match address 150
Then apply it to the interface:
interface g2 crypto map CAMP
Once the crypto map is applied, the router starts processing VPN traffic immediately.
Adding Another VPN Site (ASA + IOS)
To add another site-to-site tunnel (e.g., from ASA to another branch), you repeat the crypto ACL and crypto map process with new access lists and transform set entries. On ASA, this means defining a second crypto map entry and corresponding NAT exemption:
access-list CRYPTO-ACL-2 permit ip 10.10.9.0 255.255.255.0 10.12.120.0 255.255.255.0 crypto map CMAP 20 match address CRYPTO-ACL-2 crypto map CMAP 20 set peer 198.51.100.1 crypto map CMAP 20 set ikev1 transform-set TS
Manual NAT is updated to include:
object network LAN3 subnet 10.12.120.0 255.255.255.0 exit nat (inside,outside) source static LAN1 LAN1 destination LAN3 LAN3
And the new tunnel-group:
tunnel-group 198.51.100.1 type ipsec-l2l tunnel-group 198.51.100.1 ipsec-attributes ikev1 pre-shared-key cisco123 exit
Concepts and Best Practices
A tunnel-group on ASA is conceptually equivalent to an ISAKMP profile on IOS. It acts like a connection catcher, applying peer-specific attributes during phase 1 negotiation. In ASDM, this is referred to as a Connection Profile.
To allow traffic to route through a tunnel and return to another branch via the same ASA (a “U-turn” scenario), enable:
same-security-traffic permit intra-interface
Additionally, ensure that you update the crypto ACLs to allow traffic to pass between multiple LANs.
Two invaluable troubleshooting tools:
- packet-tracer to simulate traffic and verify tunnel paths.
- show crypto isakmp sa detail to check if the tunnel is forming and what phase it’s in.
This overview should provide a solid foundation for building and comparing VPN configurations across Cisco ASA and IOS platforms. The nuances in syntax and logic make a big difference in real-world deployments, especially when NAT, ACLs, and multi-site connectivity are involved.
