04-17-2012 03:10 PM
Good Evening,
Please note the following question --> what is "triple redundant endpoints"?
Here is the scenario
- support company needs to VPN to specific LAN on my network
- provided the support company with 172.16.2.0/24
- support company says they cannot use that subnet because they are using the same subnet connection to another company
- (not sure why they can't use it since its a seperate VPN, but whatever)
- the entire 172.16.31.0 /24 is being used by my company
- so the support company states "create new L2L connection between the triple redundant endpoints and my FW"
- Can someone elaborate on the above or at least suggest another solution?
- Like what else could I do to provide VPN access for the support company to specific servers on my LAN that does not disrupt
my IP schema.
I would really appreciate any help with this.
Thank you
04-17-2012 04:26 PM
Hi,
I got to admit I have never even heard anyone use the term "triple redundant endpoints"
My first reaction was ->
I'd imagine it might be possible to configure more than 1 peer IP address for the L2L VPN connection. I have never really checked how it works
On to the topic,
Do you mean you have the local network 172.16.2.0/24 network the support company has to reach? If thats the case then the overlapping networks aint a problem. You can NAT the whole network to some other private address range /24 network before the traffic enters the new L2L VPN tunnel.
Also to even help you abit I would need to know:
- Jouni
04-18-2012 06:20 AM
answer --> ASA 5520
answer --> ver 8.3
answer --> DH Grp2, 3DES, SHA (phase 1 and 2) and PFS
Hope that answers your question. Thank you very much for your help with this and I am glad I am not the only one that has not heard of "triple redundant endpoints"
04-18-2012 09:50 AM
Hi,
Your ASA L2L VPN configuration might look something like this:
object network L2LVPN-LOCAL-LAN
subnet
object network L2LVPN-NAT-LAN
subnet
object network L2LVPN-DESTINATION
subnet
nat (inside,outside) source static L2LVPN-LOCAL-LAN L2LVPN-NAT-LAN destination static L2LVPN-DESTINATION L2LVPN-DESTINATION
access-list L2L-VPN-CONNECTION-TRAFFIC permit ip object L2LVPN-NAT-LAN object L2LVPN-DESTINATION
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map
crypto map
crypto map
crypto map
crypto map
crypto map
crypto ikev1 enable outside
group-policy L2LVPN-GROUP-POLICY internal
group-policy L2LVPN-GROUP-POLICY attributes
vpn-tunnel-protocol ikev1
tunnel-group
tunnel-group
default-group-policy L2LVPN-GROUP-POLICY
tunnel-group
ikev1 pre-shared-key
Might have forgotten something but should be about it. Just need to make sure the Phase1 and Phase2 parameters match
Also you need to make sure that the traffic from the remote network is allowed to the hosts you want them to access.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: