I need to establish a vpn between two asa-5505's at different sites. The asa's will NOT be the default router for clients; instead, traffic is policy-routed by the main router at each site, such that specific traffic is diverted to the ASA. I want that traffic to go through a site-to-site VPN tunnel to the other ASA. Because there is no "inside" interface on the ASA's, can the ASA's be configured "on a stick" (or as SonicWall calls it, in "single-arm" mode)? For example, if pc-1 pings pc-2, the traffic should go through the vpn. But if pc-1 pings anything else, either on the internet or on either of the two LAN's, it shouldn't go through the vpn. I have the policy-routing working correctly, but I can't get the ASA's to work in single-arm mode; packets are rejected because they're arriving on the outside interface, destined for an address also on the outside interface.
Thanks.
Net drawing:
---- ------
|pc-1|---| |
---- | | -----
| sw-1 |--|rtr-1|
----- | | -----
|ASA-1|--| | |
----- ------ |
___|__
. { }
. { }
.vpn { internet }
.tunnel { }
. \______/
. |
----- ------ |
|ASA-2|--| | |
----- | | -----
| sw-2 |--|rtr-2|
---- | | -----
|pc-2|---| |
---- ------