Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

No IP-in-IP on ASA

Hi all,

I have to replace software firewall to hw ASA firewall but it seem that original IP-in-IP tunnels can´t be replaced by ASA.

I have similar configuration as in:

http://etutorials.org/Networking/Integrated+cisco+and+unix+network+architectures/Chapter+11.+VPN+Technologies+Tunnel+Interfaces+and+Architectures/IP-IP+Tunnel/

But that las configuration seems is in IOS only no ASA. What can I do?

Thank you,

Marek

Everyone's tags (1)
4 REPLIES
VIP Purple

No IP-in-IP on ASA

You are right. This is nothing the ASA supports. There are two option that you have:

1) replace the IP-in-IP tunnel with a pure IPSec-config. But the ASA will still behave different as there is no tunnel-interface as in IOS.

2) Terminate the IP-in-IP tunnel on an IOS-router or a software-firewall in a DMZ or the internal network (which fits better to your security-policy). The ASA can be configured to pass this traffic through.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

No IP-in-IP on ASA

So that means, that:

ad 1) I would have to reconfigure entire network to behave under IPSec?

ad 2) I would have to have one more device than I want to have, just to terminate tunnel just before traffic enters ASA?

Thanks

VIP Purple

No IP-in-IP on ASA

yes, thats what it means. Or the other way round: The ASA is not the right device for this job. An IOS-router with Firewall-Feature would perhaps fit better for your needs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Super Bronze

No IP-in-IP on ASA

Hi,

Cisco ASA doesnt really support any other kind of tunneling except IPsec L2L VPN. It can naturally also do for example IPsec Client VPN and SSL Client VPN and Clientless SSL VPN.

If your aim is to connect 2 remote network then you should use L2L VPN on the ASA.

I guess if you require some other type of tunneling you will need another device than a Cisco ASA firewall.

- Jouni

239
Views
0
Helpful
4
Replies
CreatePlease to create content