ASA IPSEC VPN Design Question; ARP Between ASA

Unanswered Question
Sep 15th, 2008
User Badges:

I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.

The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.

Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.



This Discussion