NetNXT Logo

Creating the Tunnel in Cisco ASA 5505 via ASDM 6.4

November 7, 2025
2 min read
ByNetNXT

Purpose

This guide shows how to create a Site-to-Site IPSEC VPN Tunnel between networks using Cisco ASA 5505 with ASDM 6.4 Wizard.

Prerequisites

  • Cisco ASA 5505 device
  • ASDM 6.4 access with admin credentials
  • Peer Public IP Address
  • Local & Remote subnets to be tunneled
  • Pre-shared key (if using PSK based authentication)

Step-by-Step Instructions

Step 1 — Login into ASDM Console

Launch ASDM and login using your admin credentials.

Step 2 — Open S2S VPN Wizard

Go to Wizards → VPN Wizards → Site-to-site VPN Wizard

Step 3 — Confirm Site-to-Site VPN Type

This screen confirms you're initiating a site-to-site tunnel. Click Next.

Step 4 — Enter Peer Device Information

Enter:

  • Peer IP address (remote end public IP)
  • VPN interface (generally outside)

Click Next.

Step 5 — Select IKE Version

Select the IKE version you want to use.

You can select both if needed.

Click Next.

Step 6 — Define Local & Remote Networks

Enter Local subnet and Remote subnet values in CIDR format.

Example:

  • Local: 10.1.50.0/24
  • Remote: 10.1.100.0/24

Click Next.

Step 7 — Authentication Method

Use Pre-shared Key for lab environment.

Click Next.

Step 8 — Encryption Algorithms

Leave default encryption proposals as they are.

Click Next.

Step 9 — Miscellaneous

Enable: Exempt ASA side host / network from address translation (inside)

Click Next → Finish.

Expected Result / Validation

Tunnel should now be active.

Go to Monitoring → VPN to verify active sessions and check if the tunnel is UP.

FAQs

Q1. Should I select IKEv1 or IKEv2?

Most modern deployments prefer IKEv2. If compatibility with older peers is needed, enable both.

Q2. Where do I check if tunnel came up successfully?

Go to Monitoring → VPN in ASDM and see if the session is showing as active.

Q3. What should I do if remote peer is dynamic?

You can use FQDN instead of static IP, but ensure DNS resolution is working.

Q4. Do I need NAT exemption always?

Yes, on ASA side you need to exempt internal subnets from NAT before they can be tunneled.

Was this article helpful?