Connecting a L3 Cisco switch behind a 871 using easyvpn

Answered Question
Sep 22nd, 2010

Hello,

It is our habit to use easyvpn on 871 routers in order to connect our remote sites to our ASA 5500 VPN concentrators.

It runs well, we define vlans on the 871 and connect L2 Cisco switches behind the VPN routers.

Problem is that we have now to connect L3 Cisco switches behind the VPN routers and so we're facing routing issues ...

No way to make it runs for all the vlans defined on the L3 core switch !

I guess we have to use a specific configuration (IRB ?).

Or do we have to use IPSEC L2L instead of the easyvpn ?

Thanks for your kind help.

Cordially

Patrick Letendart

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 4 months ago

Patrick,

It will definetly get you started.

You might want to google bit more for this.

Someone posted this on forums, but I think you might want to ask them

https://supportforums.cisco.com/docs/DOC-3066;jsessionid=444194CDE250004E116705FF0ADAD955.node0

Hope this helps.

Marcin

edit: Many thing depend whether you're using NEM and if you plan using it. If you stumple into any qustions - post them here.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Wed, 09/22/2010 - 01:31

Patrick,

Lan-to-Lan landing on dynamic crypto map on ASA would be the easiest "L3" solution. Minimum reconfiguration on ASA - problem would be with PSK being the same .... and no xauth.

Proper Lan-to-lan - depending on how many sites you have (and their config) might get your config much bigger.

IRB on the L3 switch would be indeed a possibility, but from there we basically defaet the purpose of L3 on L3 switch ;-)

Depending on the switch vendor/capabilities NAT might be an option there? (kind of dirty, but in theory would allow you to initiate traffic both ways - unless you got for PAT).

(Not tested, and requiring change of hardware on headend) DVTI solution on both ends of ezvpn - of course ASA does not support it - it would have to be a router.

I think I covered majority of things popping into my head on such short notice

Marcin

roquette Wed, 09/22/2010 - 04:54

Hi Marcin

Thanks for your quick answer.

It's seems to be beyond any doubt now : we have to test a LanToLan configuration.

I found the following link as a sample to implement a L2L betwwen an ASA and a PIX, what do you think about it ? a good one ?

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml

I really appreciate your help, thanks again

Patrick

Correct Answer
Marcin Latosiewicz Wed, 09/22/2010 - 06:11

Patrick,

It will definetly get you started.

You might want to google bit more for this.

Someone posted this on forums, but I think you might want to ask them

https://supportforums.cisco.com/docs/DOC-3066;jsessionid=444194CDE250004E116705FF0ADAD955.node0

Hope this helps.

Marcin

edit: Many thing depend whether you're using NEM and if you plan using it. If you stumple into any qustions - post them here.

roquette Wed, 09/22/2010 - 06:52

Really many thanks.

l'm looking for the solution with the tips you give me.

I'll summarize what we'll implement in order to complete this discussion.

bye, Patrick

Actions

This Discussion