Cisco ASA: VPN configuration example
This page provides more detailed information for configuring a VPN in Skytap for use with a Cisco ASA endpoint on your external network. It contains the VPN configuration parameters to enter on the Skytap VPN page, as well as a sample configuration file you can use for your Cisco ASA device.
For general information, see Creating a VPN connection to your Skytap account.
Contents
Skytap VPN configuration
Parameters to enter on your Skytap VPN page:
Parameter Name
Value to enter
Name
Name for your Skytap VPN
Example: CorporateVPN
Remote Peer IP
[CUSTOMER VPN ENDPOINT] value from the sample configuration file below
Region
N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).
Example: US-West
Skytap peer IP
An available public IP address in your Skytap account. Select a public IP in the same region as the VMs you want to connect to.
Example: 76.32.14.101
Enter this as the [SKYTAP VPN ENDPOINT] value in the sample configuration file below.
Skytap subnet
[SKYTAP VM IP RANGE] value from the sample configuration file below.
This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Apply NAT for Connected Networks
YES
Topology
Route-based
Phase 1 Encryption Algorithm
aes 256
Phase 1 Hash Algorithm
sha1
Phase 1 pre-shared Key
[SHARED SECRET KEY] value from the sample configuration file below
Phase 1 SA lifetime
28800
Phase 1 DH group
modp1536 (5)
Phase 2 encryption algorithm
aes 256
Phase 2 authentication algorithm
hmac_sha1
Phase 2 perfect forward secrecy (PFS)
ON
Phase 2 PFS group
modp1536 (5)
Phase 2 SA lifetime
86400
SA policy level
require
Specify maximum segment size
NO
Maximum segment size
N/A
Dead peer detection
ON
Included remote subnets
[INTERNAL ALLOWED IP RANGE] value from the sample configuration file below.
These are the IP addresses and subnets on your external network that send and receive traffic through this VPN.
Example: 10.1.15.0/24
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Excluded remote subnets
Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel.
This is used only to define exclusions for VPN traffic from larger included remote subnets.
Example: 10.1.15.17/32
Sample Cisco ASA device configuration file
These are the parameters to enter in the Cisco ASA device configuration file.
Replace [VARIABLES] with specific values from Skytap or your corporate policy
interface [INTERNAL INTERFACE]
nameif [INSIDE INTERFACE NAME]
security-level [SECURITY LEVEL VALUE]
ip address [CUSTOMER INTERNAL NETWORK]
!
interface [EXTERNAL INTERFACE]
nameif [OUTSIDE INTERFACE NAME]
security-level [SECURITY LEVEL VALUE]
ip address [CUSTOMER VPN ENDPOINT]
access-list [ACL NAME] extended permit ip [INTERNAL ALLOWED IP RANGE] [SKYTAP VM IP RANGE]
crypto ipsec ikev1 transform-set [TRANSFORM SET NAME] esp-aes esp-sha-hmac
crypto map [CRYPTO MAP NAME] [MAP NUMBER] match address [ACL NAME]
crypto map [CRYPTO MAP NAME] [MAP NUMBER] set peer [SKYTAP VPN ENDPOINT]
crypto map [CRYPTO MAP NAME] [MAP NUMBER] set ikev1 transform-set [TRANSFORM SET NAME]
crypto map [CRYPTO MAP NAME] interface [OUTSIDE INTERFACE NAME]
crypto ikev1 enable [OUTSIDE INTERFACE NAME]
crypto ikev1 policy [UNIQUE NUMBER]
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
tunnel-group [SKYTAP VPN ENDPOINT] type ipsec-l2l
tunnel-group [SKYTAP VPN ENDPOINT] ipsec-attributes
ikev1 pre-shared-key [SHARED SECRET KEY]