Hi! Had setup my Cisco ASA with transparent mode and now need to setup a site-to-site VPN to one of our partner site.
I know that there is a limitation regarding this transparent mode and VPN. Had check out most of the cisco documents and all it said is "The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections."
The question is, what do they mean by "VPN tunnels for management connections only" ? Is that mean we can still setup the tunnel for both site for traffic to go through ? What did it mean by "management connections only" ?
Hope someone here have the answer before i start messing up with the ASA !
it means that you can terminate tunnel on the ip assigned to your transparent firewall and the traffic (interesting traffic) that can go thru the tunnel should be only to that ip ( ip address assigned under the global configuration mode ).
First, thanks for answering my question.
If i get it correctly, this mean i CAN do site-to-site VPN on a transparent mode ASA with ONLY one IP address (transparent mode only had one IP for it inside and outside interface, the global ip address).
All i need to do now is to assign my outside interface for management mode and i can start to configure the site-to-site VPN configuration.
Am i correct ?
I am not quite sure, if you need to configure the outside interface for management mode - will have to test it out.
After some testing and configuration, i found out that it NOT possible to do site-to-site VPN with transparent firewall mode.
The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.
The management purposes mean traffic like management applications such as SNMP polls, HTTPS requests, ASDM access, Telnet access, SSH access, ping, syslog polls, and NTP requests that are allowed on the global ip address only.
This is because you cannot specific any other IP than the global ip during the "interesting traffic" configuration phase.
Hope this info will help other who had the same situation like me.
Well, back to restructure the whole ASA network infra again !
You can't configure the outside interface as management interface. You need to configure the inside interface.
But as i had explained, in transparent mode you can't have IPSec traffic going to the tunnel for a particular IP inside the network since there not NAT.
Hope that clear the question.
I tried to search configuration for terminating VPN tunnel for management connection. Can you please share the lines.
Would be great help.
Thanks for your above reply, i have same issue. I want to terminate the tunnel with the ASA (8.2) managment IP just for telnet. I did the configuration of normal site to site VPN with Router <--> ASA but it is not get results.
Can you please just share the required configurations only on ASA8.2? That would be indeed big help.
I replied to my inbox last week only for the mail to bounce back