cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
703
Views
0
Helpful
1
Replies

site-to-site vpn single-arm/on-a-stick

ippolito
Level 1
Level 1

I need to establish a vpn between two asa-5505's at different sites. The asa's will NOT be the default router for clients; instead, traffic is policy-routed by the main router at each site, such that specific traffic is diverted to the ASA. I want that traffic to go through a site-to-site VPN tunnel to the other ASA. Because there is no "inside" interface on the ASA's, can the ASA's be configured "on a stick" (or as SonicWall calls it, in "single-arm" mode)? For example, if pc-1 pings pc-2, the traffic should go through the vpn. But if pc-1 pings anything else, either on the internet or on either of the two LAN's, it shouldn't go through the vpn. I have the policy-routing working correctly, but I can't get the ASA's to work in single-arm mode; packets are rejected because they're arriving on the outside interface, destined for an address also on the outside interface.

Thanks.

Net drawing:

---- ------

|pc-1|---| |

---- | | -----

| sw-1 |--|rtr-1|

----- | | -----

|ASA-1|--| | |

----- ------ |

___|__

. { }

. { }

.vpn { internet }

.tunnel { }

. \______/

. |

----- ------ |

|ASA-2|--| | |

----- | | -----

| sw-2 |--|rtr-2|

---- | | -----

|pc-2|---| |

---- ------

1 Reply 1

ippolito
Level 1
Level 1

Wow, my network diagram translated well from Notepad. Nervermind about my question, I found the silver bullet command to allow traffic to go in and out the same interface:

same-security-traffic permit intra-interface

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: