Cisco ASA VPN/IPsec with BGP Tunnel

In this example we will discuss about VPN/IPsec with BGP between Cisco Adaptive Security Appliance(ASA) and IOS Router.

First we are going to configure Cisco ASA , then we will configure remote router.


Configuration on Cisco ASA:

Below topology showing the connectivity between ASA Firewall and Cisco IOS Router over internet.

Step-1: Configure the inside and outside interfaces on Cisco ASA

 interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 100.100.100.2 255.255.255.0

 interface GigabitEthernet0/2
  nameif inside
 security-level 100
 ip address 10.0.6.1 255.255.255.0

Step-2: Phase 1 Configuration(isakmp)

 crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash md5
 group 5
 lifetime 86400

crypto ikev1 enable outside

tunnel-group 80.80.80.2 type ipsec-l2l
tunnel-group 80.80.80.2 ipsec-attributes

 ikev1 pre-shared-key *****

Step-3: Phase 2 Configuration

crypto ipsec ikev1 transform-set TEST esp-3des esp-md5-hmac
crypto map asamap 10 match address 110
crypto map asamap 10 set peer 80.80.80.2 
crypto map asamap 10 set ikev1 transform-set TEST

crypto map asamap interface outside

Step-4: BGP configuration on ASA Firewall

 router bgp 200
 bgp log-neighbor-changes
 address-family ipv4 unicast
  neighbor 80.80.80.2 remote-as 100
  neighbor 80.80.80.2 ebgp-multihop 255
  neighbor 80.80.80.2 activate
  network 10.0.6.0 mask 255.255.255.0
  no auto-summary
  no synchronization
 exit-address-family

!

route outside 80.80.80.0 255.255.255.0 100.100.100.1

Configuration on Cisco Router as Remote Router:

Step-1: Phase 1 Configurations

crypto isakmp policy 20
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key 6 cisco123 address 100.100.100.2 255.255.255.0


Step-2: Phase 2 Configurations

crypto ipsec transform-set TEST esp-3des esp-md5-hmac 
!
crypto map iosmap 10 ipsec-isakmp 
 set peer 100.100.100.2
 set transform-set TEST 

 match address 110
!
access-list 110 permit ip 10.0.5.0 0.0.0.255 10.0.6.0 0.0.0.255
!
interface FastEthernet0/0
 ip address 80.80.80.2 255.255.255.0
 duplex half

 crypto map iosmap

Step-3: BGP configuration

router bgp 100
 bgp log-neighbor-changes
 neighbor 100.100.100.2 remote-as 200
  neighbor 100.100.100.2 ebgp-multihop 255
 !
 address-family ipv4
  no synchronization
  network 10.0.5.0 mask 255.255.255.0
  neighbor 100.100.100.2 activate
  no auto-summary

 exit-address-family

Verify:

BRANCH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
            dst             src                        state              conn-id slot status

100.100.100.2   80.80.80.2      MM_NO_STATE          0 ACTIVE

ciscoasa# sh crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 80.80.80.2
    Type    : L2L             Role    : responder 

    Rekey   : no              State   : MM_ACTIVE

BRANCH#sh ip bgp summary


Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

100.100.100.2   4   200       5       4        3    0    0 00:00:47        1

ciscoasa# sh bgp summary

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

80.80.80.2      4          100 4       5              2    0    0 00:00:01  1