Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Site-to-Site Connection Profiles, Add/Edit Site-to-Site Connection

69-83

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter69 General VPN Setup

Mapping Certificates to IPsec or SSL VPN Connection Profiles

Site-to-Site Connection Profiles

The Connection Profiles dialog box shows the attributes of the currently configured Site-to-Site

connection profiles (tunnel groups), lets you select the delimiter to use when parsing connection profile

names, and lets you add, modify, or delete connection profiles.

The security appliance supports IPsec LAN-to-LAN VPN connections for IPv4 or IPv6 using IKEv1 or

IKEv2 and supports both inside and outside networks using the inner and outer IP headers.

Fields

•Access Interfaces—Displays a table of device interfaces where you can enable access by a remote

peer device on the interface:

–

Interface—The device interface to enable or disable access.

–

Allow IKEv1 Access—Check to enable IPsec IKEv1 access by a peer device.

–

Allow IKEv2 Access—Check to enable IPsec IKEv2 access by a peer device.

•Connection Profiles—Displays a table of connection profiles where you can add, edit, or delete

profiles:

–

Add—Opens the Add IPsec Site-to-Site connection profile dialog box.

–

Edit—Opens the Edit IPsec Site-to-Site connection profile dialog box.

–

Delete—Removes the selected connection profile. There is no confirmation or undo.

–

Name—The name of the connection profile.

–

Interface—The interface the connection profile is enabled on.

–

Local Network—Specifies the IP address of the local network.

–

Remote Network—Specifies the IP address of the remote network.

–

IKEv1 Enabled—Shows IKEv1 enabled for the connection profile.

–

IKEv2 Enabled—Shows IKEv2 enabled for the connection profile.

–

Group Policy—Shows the default group policy of the connection profile.

Add/Edit Site-to-Site Connection

The Add or Edit IPsec Site-to-Site Connection dialog box lets you create or modify an IPsec Site-to-Site

connection. These dialog boxes let you specify the peer IP address (IPv4 or IPv6), specify a connection

name, select an interface, specify IKEv1 and IKEv2 peer and user authentication parameters, specify

protected networks, and specify encryption algorithms.

The ASA supports LAN-to-LAN VPN connections to Cisco or third-party peers when the two peers have

IPv4 inside and outside networks (IPv4 addresses on the inside and outside interfaces).

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the

security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances,

and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series ASAs:

•The ASAs have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside

interfaces and IPv6 addresses on the outside interfaces).

•The ASAs have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside

interface and IPv4 addresses on the outside interfaces).

Cisco Systems Site-to-Site Connection Profiles, Add/Edit Site-to-Site Connection

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505