Cisco ASA: VPN configuration example
This page provides more detailed information for configuring a VPN in Kyndryl Cloud Uplift for use with a Cisco ASA endpoint on your external network. It contains the VPN configuration parameters to enter on the Kyndryl Cloud Uplift VPN page, as well as a sample configuration file you can use for your Cisco ASA device.
For general information, see Creating a VPN connection to your Kyndryl Cloud Uplift account.
Contents
Kyndryl Cloud Uplift VPN configuration
Parameters to enter on your Kyndryl Cloud Uplift VPN page:
Parameter Name
Value to enter
Name
Name for your Kyndryl Cloud Uplift VPN
Example: CorporateVPN
Remote Peer IP
[CUSTOMER VPN ENDPOINT] value from the sample configuration file below
Region
N/A. This is automatically populated when you select a public IP address for the Kyndryl Cloud Uplift peer IP field (see below).
Example: US-West
Kyndryl Cloud Uplift peer IP
An available public IP address in your Kyndryl Cloud Uplift account. Select a public IP in the same region as the VMs you want to connect to.
Example: 76.32.14.101
Enter this as the [SKYTAP VPN ENDPOINT] value in the sample configuration file below.
Kyndryl Cloud Uplift subnet
[SKYTAP VM IP RANGE] value from the sample configuration file below.
This is the range of VM IP addresses in Kyndryl Cloud Uplift that sends and receives traffic through this VPN. This can’t overlap with the included remote subnets defined below.
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Apply NAT for Connected Networks
YES
Topology
Route-based
Phase 1 Encryption Algorithm
aes 256
Phase 1 Hash Algorithm
sha1
Phase 1 pre-shared Key
[SHARED SECRET KEY] value from the sample configuration file below
Phase 1 SA lifetime
28800
Phase 1 DH group
modp1536 (5)
Phase 2 encryption algorithm
aes 256
Phase 2 authentication algorithm
hmac_sha1
Phase 2 perfect forward secrecy (PFS)
ON
Phase 2 PFS group
modp1536 (5)
Phase 2 SA lifetime
86400
SA policy level
require
Specify maximum segment size
NO
Maximum segment size
N/A
Dead peer detection
ON
Included remote subnets
[INTERNAL ALLOWED IP RANGE] value from the sample configuration file below.
These are the IP addresses and subnets on your external network that send and receive traffic through this VPN.
Example: 10.1.15.0/24
You can specify the default route (0.0.0.0/0) for either the remote subnet or the local subnet. You can’t use 0.0.0.0/0 for both local and remote subnets.
Excluded remote subnets
Subset of IP addresses and subnets on the external network that should be excluded from using the VPN tunnel.
This is used only to define exclusions for VPN traffic from larger included remote subnets.
Example: 10.1.15.17/32
Sample Cisco ASA device configuration file
These are the parameters to enter in the Cisco ASA device configuration file.
Replace [VARIABLES] with specific values from Kyndryl Cloud Uplift or your corporate policy
interface [INTERNAL INTERFACE]
nameif [INSIDE INTERFACE NAME]
security-level [SECURITY LEVEL VALUE]
ip address [CUSTOMER INTERNAL NETWORK]
!
interface [EXTERNAL INTERFACE]
nameif [OUTSIDE INTERFACE NAME]
security-level [SECURITY LEVEL VALUE]
ip address [CUSTOMER VPN ENDPOINT]
access-list [ACL NAME] extended permit ip [INTERNAL ALLOWED IP RANGE] [SKYTAP VM IP RANGE]
crypto ipsec ikev1 transform-set [TRANSFORM SET NAME] esp-aes esp-sha-hmac
crypto map [CRYPTO MAP NAME] [MAP NUMBER] match address [ACL NAME]
crypto map [CRYPTO MAP NAME] [MAP NUMBER] set peer [SKYTAP VPN ENDPOINT]
crypto map [CRYPTO MAP NAME] [MAP NUMBER] set ikev1 transform-set [TRANSFORM SET NAME]
crypto map [CRYPTO MAP NAME] interface [OUTSIDE INTERFACE NAME]
crypto ikev1 enable [OUTSIDE INTERFACE NAME]
crypto ikev1 policy [UNIQUE NUMBER]
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
tunnel-group [SKYTAP VPN ENDPOINT] type ipsec-l2l
tunnel-group [SKYTAP VPN ENDPOINT] ipsec-attributes
ikev1 pre-shared-key [SHARED SECRET KEY]
