Lab sous GNS3- Configuring a Site-to-Site IPsec VPN Using CCP

and ASDM
Topology

Note: ISR G2 devices use GigabitEthernet interfaces instead of FastEthernet Interfaces.

© 2021 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 31
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

IP Addressing Table

Device Interface IP Address Subnet Mask Default Gateway Switch Port

Fa0/0 209.165.200.225 255.255.255.248 N/A ASA E0/0

R1
S0/0/0 (DCE) 10.1.1.1 255.255.255.252 N/A N/A
S0/0/0 10.1.1.2 255.255.255.252 N/A N/A
R2
S0/0/1 (DCE) 10.2.2.2 255.255.255.252 N/A N/A
Fa0/1 172.16.3.1 255.255.255.0 N/A S3 Fa0/5
R3
S0/0/1 10.2.2.1 255.255.255.252 N/A N/A
VLAN 1 (E0/1) 192.168.1.1 255.255.255.0 NA S2 Fa0/24
ASA VLAN 2 (E0/0) 209.165.200.226 255.255.255.248 NA R1 Fa0/0
VLAN 3 (E0/2) 192.168.2.1 255.255.255.0 NA S1 Fa0/24
PC-A NIC 192.168.2.3 255.255.255.0 192.168.2.1 S1 Fa0/6
PC-B NIC 192.168.1.3 255.255.255.0 192.168.1.1 S2 Fa0/18
PC-C NIC 172.16.3.3 255.255.255.0 172.16.3.1 S3 Fa0/18

Objectives
Part 1: Basic Router/Switch/PC Configuration
• Cable the network and clear previous device settings.
• Configure basic settings for routers and switches.
• Configure static routing, including default routes, between R1, R2 and R3.
• Configure the enable and vty passwords on R3.
• Configure HTTP access, a username, and local authentication prior to starting CCP.
• Configure PC host IP settings.
• Verify connectivity.
Part 2: Basic ASA Configuration
• Access the ASA console.
• Clear the previous ASA configuration settings.
• Bypass Setup mode.
• Use the CLI command script to configure the ASA.
• Verify HTTP ASDM access.
Part 3: Configuring the ISR as a Site-to-Site IPsec VPN Endpoint Using CCP
• Run the CCP application on PC-C and discover R3.
• Start the CCP VPN wizard to configure R3.
• Configure basic VPN connection information settings.
• Specify IKE policy parameters.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

• Configure a transform set.

• Specify traffic to protect.
• Review the summary of the configuration.
• Review the site-to-site VPN tunnel configuration.
Part 4: Configuring the ASA as a Site-to-Site IPsec VPN Endpoint Using ASDM
• Access ASDM.
• Review the ASDM Home screen.
• Start the VPN wizard.
• Configure peer device identification.
• Specify the traffic to protect.
• Configure authentication.
• Configure miscellaneous settings.
• Review the configuration summary and deliver the commands to the ASA.
• Verify the ASDM VPN connection profile.
• Test the VPN configuration from R3 using CCP.
• Use ASDM monitoring to verify the tunnel.

Background / Scenario
In addition to acting as a remote access VPN concentrator, the ASA can provide Site-to-Site IPsec VPN
tunneling. The tunnel can be configured between two ASAs or between an ASA and another IPsec VPN-
capable device, such as an ISR, as is the case with this lab.
Your company has two locations connected to an ISP. Router R1 represents a CPE device managed by the
ISP. Router R2 represents an intermediate Internet router. Router R3 connects users at the remote branch
office to the ISP. The ASA is an edge security device that connects the internal corporate network and DMZ
to the ISP while providing NAT services to inside hosts.
Management has asked you to provide a dedicated Site-to-Site IPsec VPN tunnel between the ISR router at
the remote branch office and the ASA device at the corporate site. This tunnel will protect traffic between the
branch office LAN and the corporate LAN, as it passes through the Internet. The Site-to-Site VPN does not
require a VPN client on the remote or corporate site host computers. Traffic from either LAN to other Internet
destinations is routed by the ISP and is not protected by the VPN tunnel. The VPN tunnel will pass through
R1 and R2; both are not aware of its existence.
In Part 1 of this lab, you will configure the topology and non-ASA devices. In Part 2, you will prepare the ASA
for ASDM access. In Part 3, you will use the CCP VPN Wizard to configure the R3 ISR as a Site-to-Site IPsec
VPN endpoint. In Part 4, you will configure the ASA as a Site-to-Site IPsec VPN endpoint using the ASDM
VPN wizard.
Note: The router commands and output in this lab are from a Cisco 1841 router with Cisco IOS Release
15.1(4)M8 (Advanced IP Services image). Other routers and Cisco IOS versions can be used. See the Router
Interface Summary Table at the end of this lab to determine which interface identifiers to use based on the
equipment in the lab. Depending on the router model and Cisco IOS version, the commands available, and
output produced might vary from what is shown in this lab.
The ASA that is used with this lab is a Cisco model 5505 with an 8-port integrated switch, running OS version
8.4(2) and ASDM version 7.2(1) and comes with a Base license that allows a maximum of three VLANs.
Note: Ensure that the routers and switches have been erased and have no startup configurations.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Required Resources
• 3 Routers (Cisco 1841 with Cisco IOS Release 5.1(4)M8 Advanced IP Services image or comparable)
• 3 Switches (Cisco 2960 or comparable)
• 1 ASA 5505 (OS version 8.4(2) and ASDM version 7.2(1) and Base license or comparable)
• 3 PCs (Windows Vista or Windows 7 with CCP 2.5, latest version of Java, Internet Explorer, and Flash
Player)
• Serial and Ethernet cables as shown in the topology
• Console cables to configure Cisco networking devices
CCP Notes:
• If the PC on which CCP is installed is running Windows Vista or Windows 7, it may be necessary to right-
click the CCP icon or menu item, and select Run as administrator.
• To run CCP, it may be necessary to temporarily disable antivirus programs and O/S firewalls. Make sure
that all pop-up blockers are turned off in the browser.

Part 1: Basic Router/Switch/PC Configuration

In Part 1 of this lab, you will set up the network topology and configure basic settings on the routers, such as
interface IP addresses and static routing.
Note: Do not configure any ASA settings at this time.

Step 1: Cable the network and clear previous device settings.

Attach the devices shown in the topology diagram and cable as necessary. Ensure that the routers and
switches have been erased and have no startup configurations.

Step 2: Configure basic settings for routers and switches.

a. Configure hostnames, as shown in the topology for each router.
b. Configure router interface IP addresses, as shown in the IP Addressing table.
c. Configure a clock rate for routers with a DCE serial cable attached to their serial interface. Router R1 is
shown here as an example.
R1(config)# interface S0/0/0
R1(config-if)# clock rate 64000
d. Configure the hostname for the switches. Other than the hostname, the switches can be left in their
default configuration state. Configuring the VLAN management IP address for the switches is optional.

Step 3: Configure static routing on the routers.

a. Configure a static default route from R1 to R2 and from R3 to R2.
R1(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0

R3(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/1

b. Configure a static route from R2 to the R1 Fa0/0 subnet (connected to ASA interface E0/0) and a static
route from R2 to the R3 LAN.
R2(config)# ip route 209.165.200.224 255.255.255.248 Serial0/0/0
R2(config)# ip route 172.16.3.0 255.255.255.0 Serial0/0/1
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 4: Configure the enable and vty passwords on R3.

On R3, set the enable password to class and the console and vty passwords to cisco. Configure these
settings on R1 and R2. R3 is shown here as an example.
R3(config)# enable secret class

R3(config)# line vty 0 4

R3(config-line)# password cisco
R3(config-line)# login

R3(config)# line con 0

R3(config-line)# password cisco
R3(config-line)# login

Step 5: Configure HTTP access, a username, and local authentication prior to starting CCP.
a. From the CLI, configure a username and password for use with CCP on R3.
R3(config)# ip http server
R3(config)# ip http secure-server
R3(config)# username admin privilege 15 secret cisco123
b. Use the local database to authenticate web sessions with CCP.
R3(config)# ip http authentication local

Step 6: Configure PC host IP settings.

Configure a static IP address, subnet mask, and default gateway for PC-A, PC-B, and PC-C, as shown in the
IP Addressing table.

Step 7: Verify connectivity.

From PC-C, ping the R1 Fa0/0 IP address (209.165.200.225). If these pings are not successful, troubleshoot
the basic device configurations before continuing.
Note: If you can ping from PC-C to R1 Fa0/0 you have demonstrated that static routing is configured and
functioning correctly.

Step 8: Save the basic running configuration for each router and switch.

Part 2: Basic ASA Configuration

Step 1: Access the ASA console.
a. Accessing the ASA via the console port is the same as with a Cisco router or switch. Connect to the ASA
Console port with a rollover cable.
b. Use a terminal emulation program, such as TeraTerm or PuTTy, to access the CLI, and use the serial
port settings of 9600 baud, 8 data bits, no parity, one stop bit, and no flow control.
c. If prompted to enter Interactive Firewall configuration (Setup mode), answer no.
d. Enter privileged EXEC mode with the enable command and password (if set). By default, the password is
blank; press Enter. If the password has been changed to that specified in this lab, the password will be
class. In addition, the hostname and prompt will be CCNAS-ASA>, as shown here. The default ASA
hostname and prompt is ciscoasa>.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

CCNAS-ASA> enable
Password: class (or press Enter if none set)

Step 2: Clear the previous ASA configuration settings.

a. Use the write erase command to remove the startup-config file from flash memory.
CCNAS-ASA# write erase
Erase configuration in flash memory? [confirm]
[OK]
CCNAS-ASA#

Note: The erase startup-config IOS command is not supported on the ASA.
b. Use the reload command to restart the ASA. This will cause the ASA to come up in CLI Setup mode. If
you see the System config has been modified. Save? [Y]es/[N]o: message, respond with
N.
CCNAS-ASA# reload
Proceed with reload? [confirm] <Enter>
CCNAS-ASA#
***
*** --- START GRACEFUL SHUTDOWN ---
Shutting down isakmp
Shutting down File system
***
*** --- SHUTDOWN NOW ---
Process shutdown finished
Rebooting.....
CISCO SYSTEMS
Embedded BIOS Version 1.0(12)13 08/28/08 15:50:37.45
<output omitted>

Step 3: Bypass Setup mode.

When the ASA completes the reload process, it should detect that the startup configuration file is missing and
go into Setup mode. If it does not come up in this mode, repeat Step 2.
a. When prompted to preconfigure the firewall through interactive prompts (Setup mode), respond with no.
Pre-configure Firewall now through interactive prompts [yes]? no
b. Enter privileged EXEC mode with the enable command. The password should be kept blank (no
password).

Step 4: Use the CLI script to configure the ASA.

In this step, you will use a CLI script to configure basic settings, the firewall, and DMZ.
a. Ensure that there is no previous configuration in the ASA, other than the defaults that the ASA
automatically inserts, using the show run command.
b. Enter global configuration mode. When prompted to enable anonymous call-home reporting, respond no.
ciscoasa> enable
Password: <Enter>

ciscoasa# conf t
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

ciscoasa(config)#
c. The first time you enter configuration mode after running reload, you will be asked to enable anonymous
reporting. Respond with no.
d. Copy and paste the Pre-VPN Configuration Script commands listed below at the global configuration
mode prompt to bring it to the point where you can start configuring the SSL VPNs.
e. Observe the messages as the commands are applied to ensure that there are no warnings or errors. If
prompted to replace the RSA key pair, respond yes.
f. Issue the write mem (or copy run start) command to save the running configuration to the startup
configuration and the RSA keys to non-volatile memory.
Pre-VPN ASA Configuration Script:
hostname CCNAS-ASA
!
domain-name ccnasecurity.com
!
enable password class
passwd cisco
!
interface Ethernet0/0
switchport access vlan 2
no shut
!
interface Ethernet0/1
switchport access vlan 1
no shut
!
interface Ethernet0/2
switchport access vlan 3
no shut
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.226 255.255.255.248
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 70
ip address 192.168.2.1 255.255.255.0
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

!
object network inside-net
subnet 192.168.1.0 255.255.255.0
!
object network dmz-server
host 192.168.2.3
!
access-list OUTSIDE-DMZ extended permit ip any host 192.168.2.3
!
object network inside-net
nat (inside,outside) dynamic interface
!
object network dmz-server
nat (dmz,outside) static 209.165.200.227
!
access-group OUTSIDE-DMZ in interface outside
!
route outside 0.0.0.0 0.0.0.0 209.165.200.225 1
!
username admin password cisco123
!
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
!
http server enable
http 192.168.1.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 10
ssh timeout 10
!
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect icmp
!
prompt hostname context
no call-home reporting anonymous
!
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

crypto key generate rsa modulus 1024

Step 5: Verify HTTPS ASDM access.

Note: This step is intended to verify HTTPS connectivity from PC-B to the ASA. ASDM settings will be
configured in Part 4 of this lab.
a. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1.
b. After entering https://192.168.1.1, you should see a security warning about the website’s security
certificate. Click Continue to this website. The ASDM welcome page will display. From this screen, you
can install ASDM on the PC, run ASDM as browser-based Java applet directly from the ASA, or run the
Startup wizard. Click Run ASDM.
Note: The process may vary depending on the browser used. This example is for Internet Explorer.

Part 3: Configuring the ISR as a Site-to-Site IPsec VPN Endpoint Using CCP
In Part 3 of this lab, you will configure R3 as an IPsec VPN endpoint for the tunnel between R3 and the ASA.
Routers R1 and R2 are unaware of the tunnel.

Step 1: Run the CCP application on PC-C and discover R3.

a. Run the CCP application on PC-C. In the Select/Manage Community window, enter the R3 Fa0/0 IP
address 172.16.3.1, username admin, and password cisco123. Click the Connect Securely check box
to use secure-server for your connection. Click OK.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

b. In the Community Information panel, click Discover to discover and connect to R3. If the PC-C CCP
application can make an HTTP connection to R3, the Discovery Status changes to Discovered. If the
discovery process fails, click Discover Details to determine the problem so that you can resolve the
issue.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 2: Start the CCP VPN wizard to configure R3.

a. On the CCP menu bar, click Configure , and select Security > VPN > Site-to-Site VPN. Read the on-
screen text describing the Site-to-Site VPN.
What must you know to complete the configuration?
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

b. Click Launch the selected task to begin the CCP Site-to-Site VPN wizard.
c. From the initial Site-to-Site VPN wizard screen, select the Step by Step wizard, and then click Next.

Step 3: Configure basic VPN connection information settings.

a. On the VPN Connection Information screen, select the interface for the connection, which should be
Serial0/0/1.
b. In the Peer Identity section, select Peer with static IP address and enter the IP address of the remote
peer, ASA VLAN 2 interface E0/0 (209.165.200.226).
c. In the Authentication section, click Pre-shared Keys, and enter the pre-shared VPN key cisco12345. Re-
enter the key for confirmation. This key authenticates the initial exchange to establish the Security
Association between devices. When finished, your screen should look similar to the following. When you
have entered these settings correctly, click Next.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 4: Specify IKE policy parameters.

IKE policies are used while setting up the control channel between the two VPN endpoints for key exchange.
This is also referred to as the IKE secure association (SA). In contrast, the IPsec policy is used during IKE
Phase II to negotiate an IPsec security association to pass target data traffic.
a. On the IKE Proposals screen, a default policy proposal is displayed with a priority of 1. You can use this
one or create a new one, if necessary. In this lab, you will configure the R3 end of the VPN tunnel using
the default IKE proposal. Click Next to continue.
Settings for the CCP default IKE Phase 1 policy for this ISR are:
o Priority = 1
o Encryption = 3DES
o Hash = SHA_1
o D-H Group = group2
o Authentication = PRE_SHARE
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 5: Configure a transform set.

The transform set is the IPsec policy used to encrypt, hash, and authenticate packets that pass through the
tunnel. The transform set is the IKE Phase 2 policy.
On the Transform Set screen, a default transform set is displayed. You can use this one or create a new one,
if necessary. In this lab, you will configure the R3 end of the VPN tunnel using the default transform set. Click
Next to continue.
Settings for the CCP default IKE Phase 2 policy transform set for this ISR are:
o Name = ESP-3DES-SHA
o ESP Encryption = ESP_3DES
o ESP Integrity = ESP_SHA_HMAC
o Mode = Tunnel
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 6: Specify traffic to protect.

You must define “interesting” traffic to be protected through the VPN tunnel. Interesting traffic is defined
through an access list that is applied to the router. By entering the source and destination subnets that you
would like to protect through the VPN tunnel, CCP generates the appropriate simple access list for you.
On the Traffic to protect screen, enter the information shown below. These are the opposite of the settings
configured on the ASA later in the lab. When finished, click Next.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 7: Review the summary of the configuration.

a. Review the Summary of the Configuration screen. It should look similar to the one below. You can scroll
down to see the IPsec rule (ACL) that CCP creates for R3, which permits all traffic from network
172.16.3.0/24 to network 192.168.1.0/24.
b. Do NOT click the Test VPN connectivity after configuring check box. This will be done after you
configure the ASA side of the VPN tunnel. Click Finish to go to the Deliver Configuration to Device
screen.
Note: Pay particular attention to the IKE Policies and Transform Set. You will configure the ASA to match
these settings in the next part of this lab.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

c. On the Deliver Configuration to Device screen, select Save running config to device’s startup config
and click Deliver. After the commands have been delivered, click OK.
d. You can also save these configuration commands for later editing or documentation purposes by clicking
Save to file.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Note: If you receive an error message that CCP was unable to copy the running-config to the startup
configuration, you can verify that the commands were delivered by using the show startup-config CLI
command on R3. If the startup configuration has not been updated, use the copy run start command on
R3.
e. You can view the running configuration and startup configuration from within CCP. To view the running
config, click Home, and under the Utilities section, click View > Running Configuration.
f. To view the startup configuration, click Home > Utilities > View > IOS Show Commands. Click the pull-
down list next to the command window, select the show startup-config command, and then click Show.
Note: There are several predefined show commands listed in the pull-down list, but you can also enter
any valid IOS command, such as show ip interface brief, and then click Show.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 8: Review the Site-to-Site VPN tunnel configuration.

a. The Edit Site-to-Site VPN screen displays after the commands are delivered. Use the scroll buttons to
examine the configuration. The tunnel status is down at this point, because the ASA end of the tunnel is
not yet configured.
Note: Leave CCP running and connected to R3 on PC-C. Click Test Tunnel to verify VPN functionality
after configuring the ASA end of the tunnel.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Part 4: Configuring the ASA as a Site-to-Site IPsec VPN Endpoint Using

ASDM
In Part 4 of this lab, you will configure the ASA as an IPsec VPN tunnel endpoint. The tunnel between the
ASA and R3 passes through R1 and R2.

Step 1: Access ASDM.

a. Open a browser on PC-B and test the HTTPS access to the ASA by entering https://192.168.1.1.
b. After entering https://192.168.1.1, you should see a security warning about the website security
certificate. Click Continue to this website. Click Yes for any other security warnings. At the ASDM
welcome page, click Run ASDM. The ASDM-IDM Launcher displays. Log in as user admin with
password cisco123. ASDM then loads the current configuration into the GUI.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 2: Review the ASDM Home screen.

a. The Home screen displays showing the current ASA device configuration and some traffic flow statistics.
Note the inside, outside, and DMZ interfaces that were configured in Part 2.

Step 3: Start the VPN wizard.

a. On the ASDM main menu, click Wizards > VPN Wizards > Site-to-Site VPN Wizard. The Site-to-Site
VPN Connection Setup Wizard Introduction screen displays.
b. Review the on-screen text and topology diagram, and then click Next to continue.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 4: Configure peer device identification.

On the Peer Device Identification screen, enter the IP address of the R3 Serial0/0/1 interface (10.2.2.1) as the
Peer IP Address. Leave the default VPN Access Interface set to outside. The VPN tunnel will be between R3
S0/0/1 and the ASA outside interface (VLAN 2 E0/0). Click Next to continue.

Step 5: Specify the traffic to protect.

On the Traffic to protect screen, click IPv4 and enter the inside network 192.168.1.0/24 as the Local Network
and the R3 LAN 172.16.3.0/24 as the Remote Network. Click Next to continue. A message may display that
the certificate information is being retrieved.
Note: If the ASA does not respond, you may need to close the window and continue to the next step. If
prompted to authenticate, log in again as admin with the password cisco123.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 6: Configure authentication.

On the Security screen, enter a pre-shared key of cisco12345. You will not be using a device certificate. Click
Next to continue.

Step 7: Configure miscellaneous settings.

On the NAT Exempt screen, click the Exempt ASA side host/network from address translation check box
for the inside interface. Click Next to continue.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 8: Review the configuration summary and deliver the commands to the ASA.
a. The Summary page is displayed next. Verify that the information configured in the Site-to-Site VPN
wizard is correct. You can click Back to make changes, or click Cancel, and restart the VPN wizard
(recommended).
b. Click Finish to complete the process and deliver the commands to the ASA. If prompted to authenticate,
log in again as admin with password cisco123.

Step 9: Verify the ASDM VPN connection profile.

The ASDM Configurations > Site-to-Site VPN > Connection Profiles screen displays the settings you just
configured. From this window, the VPN configuration can be verified and edited.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Step 10: Test the VPN configuration from R3 using CCP.

a. On PC-C, use CCP to test the IPsec VPN tunnel between the R3 ISR and the ASA. Click Configure >
Security > VPN > Site-to-Site VPN and select the Edit Site-to-Site VPN tab.
b. On the Edit Site-to-Site VPN tab, click Test Tunnel.
c. When the VPN Troubleshooting window displays, click Start to have CCP start troubleshooting the
tunnel.
d. When the CCP warning window indicates that CCP will enable router debugs and generate some tunnel
traffic, click Yes to continue.
e. On the next VPN Troubleshooting screen, the IP address of the host in the source network is displayed
by default (R3 FA0/1 = 172.16.3.1). Enter the IP address of host PC-B in the destination network field
(192.168.1.3) and click Continue to begin the debugging process.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

f. If the debug is successful and the tunnel is up, you should see the screen below. If the testing fails, CCP
displays failure reasons and recommended actions. Click OK to remove the window.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

g. You can save the report if desired; otherwise, click OK and then Close.
h. On R3, click Configure > Security > VPN > Site-to-Site VPN and select the Edit Site-to-Site VPN tab.
The tunnel Status should now be up.
Note: To reset the tunnel and test again, click Clear Connection on the Edit Site-to-Site VPN window.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

i. You can further verify tunnel functionality by pinging from branch office PC-C to PC-B on the internal
network. The pings should be successful.
Note: Without the tunnel in place and bypassing NAT, it would be impossible for PC-C on the external
network to ping PC-B on the private internal network.

Step 11: Use ASDM monitoring to verify the tunnel.

a. On the ASDM menu bar, click Monitoring > VPN from the panels at the lower left of the screen. Click
VPN Statistics > Sessions. You should see the Site-to-Site IPsec VPN tunnel listed and active.

b. Click Encryption Statistics. You should see one or more sessions using the 3DES encryption algorithm.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

c. Click Crypto Statistics. You should see values for the number of packets encrypted and decrypted,
security association (SA) requests, etc.
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Reflection
1. What are some situations where a site-to-site IPsec VPN would be preferable as compared to a remote
access SSL VPN?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
2. What are some situations where a remote access VPN would be preferable as compared to site-to-site VPN?
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
_______________________________________________________________________________________
Lab - Configuring a Site-to-Site IPsec VPN Using CCP and ASDM

Router Interface Summary Table

Router Interface Summary

Router Model Ethernet Interface #1 Ethernet Interface #2 Serial Interface #1 Serial Interface #2

1800 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
1900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
2801 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/1/0 (S0/1/0) Serial 0/1/1 (S0/1/1)
(Fa0/0) (Fa0/1)
2811 Fast Ethernet 0/0 Fast Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(Fa0/0) (Fa0/1)
2900 Gigabit Ethernet 0/0 Gigabit Ethernet 0/1 Serial 0/0/0 (S0/0/0) Serial 0/0/1 (S0/0/1)
(G0/0) (G0/1)
Note: To find out how the router is configured, look at the interfaces to identify the type of router and how many
interfaces the router has. There is no way to effectively list all the combinations of configurations for each router
class. This table includes identifiers for the possible combinations of Ethernet and Serial interfaces in the device.
The table does not include any other type of interface, even though a specific router may contain one. An
example of this might be an ISDN BRI interface. The string in parenthesis is the legal abbreviation that can be
used in Cisco IOS commands to represent the interface.