Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring Site-to-Site VPN

I need to configure Site-to-Site VPN (PSK) between two offices. Both offices have ASA 5505 firewall. Office 2 ASA is going to be behind NAT router (ISP) and it's not possible to turn NAT off. There is still a static IP address. Office 1 has a static public IP address and this IP is directly configured to ASA.

Can someone help me a bit. I'm very unfamiliar with ASA. From my understanding the NAT won't be a problem when the VPN connection is started from the device that sits behind the NAT router?

3 REPLIES
VIP Purple

Re: Configuring Site-to-Site VPN

You are right, if the ASA behind the NAT initiates the VPN, then the NAT-device doesn't need any forwarding configured. The ASA just needs to be able to connect to the internet. On both ASAs NAT-Traversal needs to be enabled, but thats the default.

You can use the VPN-Wizard in ASDM to configure the VPN. On the ASA with the public IP (wothout NAT) just use the other sides public IP of the NAT-device as the peer adress. With that the VPN should work.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Configuring Site-to-Site VPN

Thank you karsten! That was helpful. I don't like wizards so I will try to configure VPN manually with CLI.

VIP Purple

Configuring Site-to-Site VPN

CLI is even better! Take a look at the following example and the L2L-section in the config-guide:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

v8.2: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/site2sit.html

v8.4: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1028
Views
0
Helpful
3
Replies
CreatePlease login to create content