Configuring Site-to-Site VPN Between Cisco ASA and USG Pro

Configuring a Site-to-Site VPN between a Cisco ASA firewall and a Ubiquiti USG Pro (Unified Security Gateway) involves several steps. This guide assumes that you have basic knowledge of both devices and have administrative access to both the Cisco ASA and USG Pro interfaces. Make sure to replace placeholders with your specific network details.

Here are the general steps to configure the VPN:

Cisco ASA Configuration:

1. Log in to the Cisco ASA’s web interface or connect to it using SSH or Telnet.
2. Navigate to Configuration mode using the following commands:
   enable
configure terminal

3. Define the ISAKMP (Internet Security Association and Key Management Protocol) policy. This is the phase 1 configuration:
   crypto isakmp policy 10
encr aes
authentication pre-share
group 2
hash sha
lifetime 86400


   Customize the encryption, authentication, group, hash, and lifetime settings according to your security requirements.

4. Create the pre-shared key for authentication:
   crypto isakmp key YOUR_SHARED_SECRET address USG_PRO_PUBLIC_IP


   Replace YOUR_SHARED_SECRET with a strong shared secret key and USG_PRO_PUBLIC_IP with the public IP address of the USG Pro.

5. Define the transform-set for phase 2 (IPsec) configuration:
   crypto ipsec transform-set MY_TRANSFORM_SET esp-aes esp-sha-hmac


   Customize the encryption and authentication algorithms as needed.

6. Create a crypto map:
   crypto map MY_CRYPTO_MAP 10 match address VPN_ACL
crypto map MY_CRYPTO_MAP 10 set peer USG_PRO_PUBLIC_IP
crypto map MY_CRYPTO_MAP 10 set transform-set MY_TRANSFORM_SET


   Replace VPN_ACL with an access control list specifying the traffic to be encrypted, and USG_PRO_PUBLIC_IP with the public IP address of the USG Pro.

7. Apply the crypto map to the outside interface:
   interface outside
crypto map MY_CRYPTO_MAP

8. Save your configuration:
   write memory


Ubiquiti USG Pro Configuration:

1. Log in to the USG Pro’s web interface.
2. Navigate to the “Settings” and then “Networks” section.
3. Create a new network for the remote ASA site:
   • Click “Create New Network.”
   • Set the name and subnet according to your network design.
   • Set the purpose to “Remote Subnet.”
4. Navigate to the “Settings” and then “VPN” section.
5. Create a new Site-to-Site VPN configuration:
   • Click “Create New VPN.”
   • Choose “Site-to-Site VPN.”
   • Enter the remote ASA’s public IP address and the pre-shared key.
6. Under “Local Subnets” and “Remote Subnets,” select the appropriate network objects created earlier.
7. Save the configuration.
8. Under “Site-to-Site VPN,” click “Connect” to establish the VPN tunnel.

This should configure a site-to-site VPN between your Cisco ASA and Ubiquiti USG Pro. Ensure that your firewall rules and routing are appropriately configured to allow traffic through the VPN tunnel. Test the connectivity and monitor the VPN status to ensure it’s functioning as expected.