Home » Security » [solved] How to setup IPSEC vpn tunnel in Cisco ASA step by step

[solved] How to setup IPSEC vpn tunnel in Cisco ASA step by step

IPsec VPN tunnels are used to connect to two network over internet and making it secure with Ipsec 1 or 2.

First we will need to configure the ISAKMP policies

Authentication method is used to enure the identity of the Ipsec  peers

Encryption method is used to encrypt the data

Hash message authentications codes are used to ensure the identity of the sender

A Diffie-Hellman group to determine the strength of the encryption-key-determination algorithm

Example of the ISAKMP policy and you can have maximum of 20 policies per device


Once the ISAKMP policy is created then it needs to be enabled on the outside interface by the following command

crypto isakmp enable interface-name”


IPsec transforms sets are for authentication and encryption for the Ipsec  tunnels – you can have multiple transforms sets configured

below is one example

crypto ipsec transform-set “Name” esp-3des esp-md5-hmac – this has to match on both sides of the VPN appliances


You will need to create an access list to match the interesting traffic on both sides

If your local side is and the remote side is then you access should look something like this

access-list VPN1 extended permit ip

You can also create network object-group, if you have more than one subnet


Tunnel groups are set of records that define the VPN policies and authentication servers

below are the steps to create the tunnel group.

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key myvpnkey1234


Crypto map ties all the policies together like your access-list and other policies – below is the command to tie a VPN peer to the access-list

crypto map map-name seq-num match address access-list-name 

In the below example "VPN" is the name of the Crypto Map,  1 is sequnce number and
VPN1 is the name of the ACL


This will setup the point to point IPsec tunnel on your end

you can now test the the new tunnel by initiaing traffic to the other side using ICMP pings and this should bring the tunnel up. 

Thanks for reading the article



Leave a Reply

Your email address will not be published. Required fields are marked *