Cisco HOW-TO‎ > ‎

Configuring Site-to-Site VPN

This section describes the task of setting up a site-to-site VPN on a Cisco ASA 5540 firewall, running version 8.0 of the ASA software.
This section assumes a simple configuration of an ASA connected directly to a public IP network on the "outside" interface.  The internal network is and the far end's internal network is
config t
!!! This first section contains configuration that is generally only needed once on the system.
! Setup the ISAKMP policy (this part may already be done on your system)
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 28800
! Enable ISAKMP on the outside interface
isakamp enable eth0
!Setup the IPSec transformation set
crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac
!!! The next section is done for each different VPN tunnel
!Define the traffic that can traverse the VPN
access-list traffic_from_site_a_to_site_b permit ip
! Define the device at the remote end that is terminating the VPN
tunnel-group far_end_public_IP type ipsec-l2l
tunnel-group far_end_public_IP
! Add or create a crypto map for the outside interface
crypto map crypto-map-outside 2 set transform-set vpn-transform
crypto map crypto-map-outside 2 match address traffic_from_site_a_to_site_b 
crypto map crypto-map-outside 2 set peer far_end_public_IP
crypto map crypto-map-outside interface outside