Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)

Answered Question
Oct 13th, 2014
User Badges:

OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.

What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch? 

Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?

When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?


Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet

The ASA is connected to a checkpoint sub interface

 

Any help would be beneficial as im new to cisco ASAs 

 

Thanks

 

Mark

 

 

Correct Answer by Richard Burts about 2 years 10 months ago

Mark

 

If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?

 

HTH

 

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael o'nan Mon, 10/13/2014 - 18:43
User Badges:
  • Silver, 250 points or more

The Checkpoint firewall should be able to have a LAN to LAN tunnel to any brand firewall. I would setup the network on the ASA and have a L2 VLAN to your switch. 

mmcfarland727 Tue, 10/14/2014 - 01:12
User Badges:

Thanks Michael for your response. The checkpoint firewall cannot be used because it doesn't have the capability of sustaining a permanent tunnel. 

 

 

 

 

Correct Answer
Richard Burts Tue, 10/14/2014 - 03:47
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark

 

If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?

 

HTH

 

Rick

Actions

This Discussion