I'm trying to set up multiple site to site vpns with an ASA 5510 at the main site and 5505's at the remotes. I'd like to use the 5505's behind the existing internet routers at the remote sites, typically linksys or similar dsl routers.
At the main site there is a host with the private address of 10.1.X.Y which I need to have bidirectional connectivity with PC's at each remote site. The remote sites all have private IP's of 172.16.A.X, 172.16.B.X etc...
The 5510 has a public IP on the outside and the inside interface is in the same subnet as the 10.1.X.Y host that I need access to/from.
Assuming that I have a 5505 with 10 user license, is it possible to locate the 5505 BEHIND a linksys dsl router to allow 10 users on that private net to access the remote host over a tunnel?
What I was hoping I could do is configure 172.16.X.1 (the dsl router) as the default gateway, and have a static route on that router that points any traffic bound for 10.1.X.Y to 172.16.X.254 (the inside address of the asa 5505) which would then get to the host over the point to point VPN.
Is this possible? Any and all help GREATLY appreciated.
Is it possible to locate the 5505 BEHIND a linksys dsl router to allow 10 users on that private net to access the remote host over a tunnel?
Yes that's possible. You first connect the dsl router to internet and behind this dsl router you connect the asa firewall. On the ASA you have to configure a public ip-address, so that you can setup the vpn tunnel between the ASA 5510 and ASA 5505.
ASA 5510 *==> internet ==> dsl router ==> ASA 5505
I don't have much knowledge about license of the ASA, but this is the way I would like to do it.
I am wondering why you use the 5505 ASA at the remote branch? If all the traffic is tunneled to the 5510 ASA why using 5505 ASA's? You can also buy a dsl router which can tunnel the traffic to the 5510 ASA. Filtering can than be done on the 5510 ASA.
We don't have a public IP, only what gets assigned to the DSL router via the ISP's DHCP which is subject to change. The reason for using a 5505 is to provide a more stable platform than a cheap vpn router which hasn't worked very well for us.
I have used the 1762 with encryption module in a production environnement and I have never had problems. Maybey you can try it with a 2600 router with a encryption.
What you can do is configure the dsl router in bridge mode. In this way the ASA gets the ip address of the service provider. I am only not sure if you can configure the outside interface of the ASA as dhcp client.
By the way if you have to configure dhcp you have to use dynamic vpn what is less secure than static vpn.
NAT-Traversal or NAT-T allows VPN traffic to pass through NAT or PAT devices, such as a Linksys SOHO router. If NAT-T is not enabled, VPN Client users often appear to connect to the PIX or ASA without a problem, but they are unable to access the internal network behind the security appliance.
Note: With IOS 12.2(13)T and later, NAT-T is enabled by default in IOS.
Here is the command to enable NAT-T on a Cisco Security Appliance. The 20 in this example is the keepalive time (default).
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...