Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
983
Views
3
Helpful
16
Replies

Question about Site-to-site VPN with two ASA 5505s

godinerik
Level 1
Level 1

‎09-27-2009 02:43 PM - edited ‎03-11-2019 09:19 AM

Hi,

I'm still what I would consider a newbie to ASAs. They're the first HW firewall I've worked with and have been using them for a few months successfully. Since I know absolutely nothing about VPNs, I figured I'd give the GUI a try.

First question: Step1, it asks me on what intrface will the VPN tunnel be. I suppose this should be the outside interface...

Step 5: it's asking me to define the local and remote networks that will take part of this tunnel.. Is this supposed to be the un-translated IPs???

Thanks!

I'm currently at step 5 of 6 where it asks me to specify the local and remote networks which will be communicating. I do believe this is meant to be the internal IPs, not the external ones

Labels:
0 Helpful
16 Replies 16

godinerik
Level 1
Level 1
In response to godinerik

‎09-28-2009 07:00 PM

Actually I guess I'll answer myself on this one..

I tried assigning an extra (external) IP to each device and creating the tunnel between the two IPs. This was actually successful. I used the packet-tracer as follow:

packet-tracer input inside 192.168.10.3 3945 AA.BB.CC.DD(EXTERNAL IP on remote device) 3389

The first time I did this of course, it was denied by the ACL. This seems to be usual behavior until the tunnel comes up.. the second time I did this, the traffic passed through... The only dis-advantage to this is, the new external IP won't be able to route internet traffic I believe.. not sure why this is a requirement, maybe for security reasons? Still to be done:

RA VPN and then to route RA VPN through the tunnel... So to complicate things, like mentioned before, the other side of the tunnel are not interested in adding any internal networks as "interesting traffic". they want everything to be external IPs. It seems like I'll have to map at least a cpl of IPs (one for the actual server, one for the remote access VPN) to map to this new external IP.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to godinerik

‎09-28-2009 08:59 PM

Erick good testing, interesting traffic means the hosts or subnets at your end that will be part of the tunnel policy.

As for NATing the internal IP with public yes you can NAT as seen in your test, simply create static one-to-one NAT private-public IP then in your crypto acl instead of using private you use the public IP. Host will no go through the tunnel for internet; it will use its public IP for regular internet traffic separated from l2l tunnel.

say public IP for 192.168.1.10 host is 20.20.20.20 GK side, and host from other end AC side will be 192.168.100.30 as part of tunnel policy.

static (inside,outside)20.20.20.20 192.168.1.10 netmask 255.255.255.255

access-list outside_2_cryptomap extended permit ip host 20.20.20.20 host 192.168.100.30

access-list inside_nat0_outbound extended permit ip host 20.20.20.20 host 192.168.100.30

When 192.168.100.30 access 20.20.20.20 asa will translate to local host.

For RA VPN is another topic.

Regards

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card