Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

how to configure a vpn tunnel in this situation?

For the ASA 5510, the inside nic IP address is 192.168.1.1 and the outside nic is connected to a public ip address.

Through a router that is connected to 192.168.1.0 network, we created a subnet of 192.168.2.0 network and

that all computers behind the 192.168.2.0 network can access the ASA 5510 to the Internet.

Now I connected a Cisco ASA 5505 to the 192.168.2.0 network with outside address of 192.168.2.1 and inside

address of 192.168.3.1.  How do I create a VPN tunnel between 192.168.3.1 and 192.168.1.1?

Your help is greatly appreciated!  please show the commands to configure it on both ASAs.  Thanks again!

12 REPLIES

Re: how to configure a vpn tunnel in this situation?

Hi,

David is not very clear to me how you have the connection because the 192.168.2.0 goes out through the 5510 but it's also connected to the 5505 and you want a tunnel between both ASAs?

Could you please post a simple drawing to understand it better?


Federico.

New Member

Re: how to configure a vpn tunnel in this situation?

Hi Fererico, thanks for replying.

Here is the simple diagram.  Hope you understand.

I want to create an IPSec VPN tunnel between the

two 192.168.3.1 and 192.168.1.1. Thanks.

Re: how to configure a vpn tunnel in this situation?

David,

You want to establish the IPsec tunnel between IPs 192.168.2.1 and 192.168.1.1?

This will build a tunnel between the inside interface of the 5510 and the outside interface of the 5505.

Which traffic do you want to send through the tunnel? Meaning which subnets?

Federico.

New Member

Re: how to configure a vpn tunnel in this situation?

yes, I want to create an IPSec VPN tunnel between 192.168.2.1 and 192.168.1.1

Is it possible?

Re: how to configure a vpn tunnel in this situation?

Yes it's possible it's just not a normal situation.

We can help you out with the commands, just let us know which traffic is that you want to encrypt and send through this tunnel.

Federico.

New Member

Re: how to configure a vpn tunnel in this situation?

Frederico, Thanks for replying.

I want the traffic to be encrypted on the ASA 5505 side, for the 192.168.3.0 network.

Yes, it is an unusual situation and challeging too.

Thanks again.

David

Re: how to configure a vpn tunnel in this situation?

David,

When you want to set up an IPsec tunnel is because you want to encrypt the communication between two devices.

In this case both ASAs.

So... we are clear that you want to encrypt the 192.168.3.0/24 on the 5505 side.

But... which network do you want to encrypt on the 5510 side?

Federico.

New Member

Re: how to configure a vpn tunnel in this situation?

Federico,

Can it be encrypted between 192.168.3.0 and 192.168.1.0?

192.168.1.0 is on the ASA 5510 side.

Thanks,

David

Re: how to configure a vpn tunnel in this situation?

David the problem is this...

192.168.3.0 --- ASA 5505 --- router --- router --- 192.168.1.0 --- ASA 5510 --- outside/Internet

If configuring a VPN tunnel between both ASAs it will be to communicate the 192.168.3.0 with the outside/Internet of the 5510.

If you want to send the 192.168.1.0 through the tunnel, I guess you can do that if you redirect the 192.168.1.0 to the ASA when going to 192.168.3.0 forcing this traffic to be encrypted.

There's no problem with the 192.168.3.0 and with the ASA 5505

The problem is with the 5510 because you want to encrypt the network that is connected to the interface where the tunnel is going to be established.

Is the 5510 the default gateway for the 192.168.1.0 network?

Federico.

New Member

Re: how to configure a vpn tunnel in this situation?

Federico,

Two gateways are co-existing for the 192.168.1.0 network, 192.168.1.1 for the ASA 5510 and

192.168.1.254 for the Adtran router.  Computers in the 192.168.1.0 network can use either gateways

to access the Internet.

As for the 192.168.2.0 network, computers in this network use 192.168.2.254 as the gateway address

to access the Internet.  If a computer in this network wants to connect a computer in the 192.168.1.0

network, a persistent route for the gateway of 192.168.1.254 need to be added to the route table of the

192.168.1.0 network computer.   for example:

    Network Address          Netmask            Gateway Address  Metric
    192.168.2.0                  255.255.255.0    192.168.1.254       1

Thanks,

David

New Member

Re: how to configure a vpn tunnel in this situation?

Federico,

I want to thank you for your input.

I conclude that it's not a good idea to create an IPsec VPN tunnel

within the same network.

I have one more question.  Can we create a vpn tunnel without

data encryption?  Sound like to defeat the purpose of VPN.

Thanks,

David 

Re: how to configure a vpn tunnel in this situation?

David,

You can create a VPN without encryption.

For example...

If you use IPsec as the protocol for VPN, then the traffic will be encrypted (however you can disable ESP on the transform-set for phase 2 and the traffic will not be encrypted then).

You can use other VPN protocols like GRE for example which will not encrypt the traffic (will only encapsulate).

The ASA will only support IPsec and not GRE however.

Federico.

608
Views
8
Helpful
12
Replies