Transparent Firewall And Site-To-Site VPN

Unanswered Question
Mar 19th, 2009
User Badges:

Hi! Had setup my Cisco ASA with transparent mode and now need to setup a site-to-site VPN to one of our partner site.

I know that there is a limitation regarding this transparent mode and VPN. Had check out most of the cisco documents and all it said is "The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections."

The question is, what do they mean by "VPN tunnels for management connections only" ? Is that mean we can still setup the tunnel for both site for traffic to go through ? What did it mean by "management connections only" ?

Hope someone here have the answer before i start messing up with the ASA !


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
vikram_anumukonda Thu, 03/19/2009 - 02:49
User Badges:
  • Bronze, 100 points or more

it means that you can terminate tunnel on the ip assigned to your transparent firewall and the traffic (interesting traffic) that can go thru the tunnel should be only to that ip ( ip address assigned under the global configuration mode ).



cmyip Thu, 03/19/2009 - 03:25
User Badges:

First, thanks for answering my question.

If i get it correctly, this mean i CAN do site-to-site VPN on a transparent mode ASA with ONLY one IP address (transparent mode only had one IP for it inside and outside interface, the global ip address).

All i need to do now is to assign my outside interface for management mode and i can start to configure the site-to-site VPN configuration.

Am i correct ?

vikram_anumukonda Thu, 03/19/2009 - 04:01
User Badges:
  • Bronze, 100 points or more

I am not quite sure, if you need to configure the outside interface for management mode - will have to test it out.

cmyip Fri, 03/20/2009 - 02:46
User Badges:

After some testing and configuration, i found out that it NOT possible to do site-to-site VPN with transparent firewall mode.

The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.

The management purposes mean traffic like management applications such as SNMP polls, HTTPS requests, ASDM access, Telnet access, SSH access, ping, syslog polls, and NTP requests that are allowed on the global ip address only.

This is because you cannot specific any other IP than the global ip during the "interesting traffic" configuration phase.

Hope this info will help other who had the same situation like me.

Well, back to restructure the whole ASA network infra again !

vikram_anumukonda Fri, 03/20/2009 - 02:51
User Badges:
  • Bronze, 100 points or more

thanks for sharing.

So did you configure outside interface as management interface for the tunneling to work ?

cmyip Tue, 03/24/2009 - 20:14
User Badges:

You can't configure the outside interface as management interface. You need to configure the inside interface.

But as i had explained, in transparent mode you can't have IPSec traffic going to the tunnel for a particular IP inside the network since there not NAT.

Hope that clear the question.

Nauman Rahim Sun, 03/31/2013 - 15:26
User Badges:

Hi Vikram,

I tried to search configuration for terminating VPN tunnel for management connection. Can you please share the lines.
Would be great help.


Ali Haider Mon, 04/01/2013 - 04:13
User Badges:

Dear vikram_anumukonda,

Thanks for your above reply, i have same issue. I want to terminate the tunnel with the ASA (8.2) managment IP just for telnet. I did the configuration of normal site to site VPN with Router <--> ASA but it is not get results.

Can you please just share the required configurations only on ASA8.2? That would be indeed big help.



Vikram_Anumukonda_2 Wed, 04/03/2013 - 02:59
User Badges:
Hi Ali,

The only change is that your interesting  traffic ACL would have the ip address assigned to your Management  Interface , rest of the configuration will remain the same.

I replied to my inbox last week only for the mail to bounce back




This Discussion