How to configure Site-to-Site VPN on Cisco ASA?


Add the ACLs which we will need to NAT, the encryption domain and the group policy.

access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80
access-list Example_Policy_ACL extended deny ip any any
access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN

Group Policy

Create your group policy which will restrict traffic between hosts within your encryption domain.

group-policy Example_Policy internal
group-policy Example_Policy attributes
vpn-filter value Example_Policy_ACL
default-group-policy Example_Policy


Add your No NAT for traffic within the encryption domain

nat (outside) 0 access-list Example_VPN_ACL

Tunnel Group

Create your tunnel group which will include your pre-shared key.

tunnel-group [Peer IP] type ipsec-l2l
tunnel-group [Peer IP] general-attributes
default-group-policy Example_Policy
tunnel-group [Peer IP] ipsec-attributes
pre-shared-key [pre-share key]

Phase 1

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption [?] hash [?] group [?] lifetime [secs]

Phase 2

crypto ipsec transform-set [transform set name] esp-3des esp-sha-hmac
crypto map outside interface outside
crypto map outside set transform-set [transform set] crypto map outside 20 match address Example_VPN_ACL
crypto map outside 20 set peer [Peer IP] crypto map outside 20 set security-association lifetime seconds [secs]