UC500 and ASA 5505 Site-to-Site VPN

Answered Question
Jul 24th, 2009
User Badges:

Currently we have a client that has a ASA 5505 at a co-location and a PIX firewall in their office with a site-to-site VPN tunnel established between them.  They are looking to put in a UC500 in their office.  


What needs to be done on the UC500 to re-establish the VPN tunnel?   Is it simply a matter of copying the config from the PIX device and copying it into the UC500 configs?

Correct Answer by JOHN NIKOLATOS about 7 years 9 months ago

Bradon,


Of course this will work...  I do it all the time...  that just is some extra access-list commands to allow the VPN client to talk to both subnets.


Keep in mind the UC500 doesn't have to replace the PIX (unless you want to).  THe PIX and the UC500 can work together...


The UC500 will only support a minimal amount of IPSEC tunnels and the PIX will out perform it in that way...

Correct Answer by Glenn Quesenberry about 7 years 10 months ago

Hi Brandon,

     I assume you'll be removing the PIX and using the IOS FW features of the UC520 and establishing the VPN from the UC520 to the ASA5505?  A good source of reference in setting up site-to-site VPN can be found here within the "SBCS-MultiSite-appnote"; step 6 page 9.  It also includes references to other documentation you will find useful in this process.  Review this material and see if this give's you the details you're looking for.


Regards,


Glenn

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Glenn Quesenberry Fri, 07/24/2009 - 15:30
User Badges:
  • Cisco Employee,

Hi Brandon,

     I assume you'll be removing the PIX and using the IOS FW features of the UC520 and establishing the VPN from the UC520 to the ASA5505?  A good source of reference in setting up site-to-site VPN can be found here within the "SBCS-MultiSite-appnote"; step 6 page 9.  It also includes references to other documentation you will find useful in this process.  Review this material and see if this give's you the details you're looking for.


Regards,


Glenn

brandon.kallas Fri, 08/21/2009 - 13:24
User Badges:

Thanks for that documentation, that will help out a lot I'm sure!


Here is my next question concerning this:


When the UC500 is in place at the office and is successfully connected to the ASA 5505 at the co-location.   Is it possible to use the Cisco VPN Client to remotely connect to the UC500 (at the office) in order to use a CIPC as well as connect via the site-to-site VPN to access data from the servers located at the co-location where the ASA 5505 is located?


Thanks!

Steven Smith Fri, 08/21/2009 - 13:28
User Badges:
  • Gold, 750 points or more

Are you asking if a user at home could connect with the VPN client?  The answer is yes.  That shouldn't be any problem.  If you are asking if a user at the ASA site wanted to use a VPN client to work with is CIPC, there would be no need for that.  You can have the UC500 to ASA rules to allow voice traffic as well.

brandon.kallas Fri, 08/21/2009 - 13:33
User Badges:

Right, I understand that part, but can a user from home connect to the UC500 with the VPN client to use their CIPC and also access data from the servers over the site-to-site tunnel?


Their co-location is owned by another company and they are just renting a cage for their servers, but the users want to be able to use their CIPC as well as access the data off their servers at the co-location.

Steven Smith Fri, 08/21/2009 - 13:38
User Badges:
  • Gold, 750 points or more

I believe this should work.  Easiest way to configure this is not to allow split tunneling on the EZVPN.

brandon.kallas Fri, 08/21/2009 - 13:56
User Badges:

Is there anyway to find out if this is definitely possible?  Our client is looking to purchase a UC500 for their office mostly for this reason.


Thanks!

Correct Answer
JOHN NIKOLATOS Fri, 08/21/2009 - 19:44
User Badges:
  • Bronze, 100 points or more

Bradon,


Of course this will work...  I do it all the time...  that just is some extra access-list commands to allow the VPN client to talk to both subnets.


Keep in mind the UC500 doesn't have to replace the PIX (unless you want to).  THe PIX and the UC500 can work together...


The UC500 will only support a minimal amount of IPSEC tunnels and the PIX will out perform it in that way...

Steven Smith Tue, 08/25/2009 - 14:47
User Badges:
  • Gold, 750 points or more

Yes, this will work without issue.

Actions

This Discussion