cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4578
Views
15
Helpful
10
Replies

Transparent Firewall And Site-To-Site VPN

cmyip
Level 1
Level 1

Hi! Had setup my Cisco ASA with transparent mode and now need to setup a site-to-site VPN to one of our partner site.

I know that there is a limitation regarding this transparent mode and VPN. Had check out most of the cisco documents and all it said is "The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections."

The question is, what do they mean by "VPN tunnels for management connections only" ? Is that mean we can still setup the tunnel for both site for traffic to go through ? What did it mean by "management connections only" ?

Hope someone here have the answer before i start messing up with the ASA !

Thanks.

10 Replies 10

it means that you can terminate tunnel on the ip assigned to your transparent firewall and the traffic (interesting traffic) that can go thru the tunnel should be only to that ip ( ip address assigned under the global configuration mode ).

HTH

Vikram

First, thanks for answering my question.

If i get it correctly, this mean i CAN do site-to-site VPN on a transparent mode ASA with ONLY one IP address (transparent mode only had one IP for it inside and outside interface, the global ip address).

All i need to do now is to assign my outside interface for management mode and i can start to configure the site-to-site VPN configuration.

Am i correct ?

I am not quite sure, if you need to configure the outside interface for management mode - will have to test it out.

After some testing and configuration, i found out that it NOT possible to do site-to-site VPN with transparent firewall mode.

The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.

The management purposes mean traffic like management applications such as SNMP polls, HTTPS requests, ASDM access, Telnet access, SSH access, ping, syslog polls, and NTP requests that are allowed on the global ip address only.

This is because you cannot specific any other IP than the global ip during the "interesting traffic" configuration phase.

Hope this info will help other who had the same situation like me.

Well, back to restructure the whole ASA network infra again !

thanks for sharing.

So did you configure outside interface as management interface for the tunneling to work ?

You can't configure the outside interface as management interface. You need to configure the inside interface.

But as i had explained, in transparent mode you can't have IPSec traffic going to the tunnel for a particular IP inside the network since there not NAT.

Hope that clear the question.

Hi Vikram,

I tried to search configuration for terminating VPN tunnel for management connection. Can you please share the lines.
Would be great help.
Thanks,

Nauman

Ali Haider
Level 1
Level 1

Dear vikram_anumukonda,

Thanks for your above reply, i have same issue. I want to terminate the tunnel with the ASA (8.2) managment IP just for telnet. I did the configuration of normal site to site VPN with Router <--> ASA but it is not get results.

Can you please just share the required configurations only on ASA8.2? That would be indeed big help.

Regards,

Ali.....

Hi Ali,

The only change is that your interesting  traffic ACL would have the ip address assigned to your Management  Interface , rest of the configuration will remain the same.

I replied to my inbox last week only for the mail to bounce back

HTH

Vikram

HI Vikram,

Please check your email.

regards,

Ali....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: