For the ASA 5510, the inside nic IP address is 192.168.1.1 and the outside nic is connected to a public ip address.
Through a router that is connected to 192.168.1.0 network, we created a subnet of 192.168.2.0 network and
that all computers behind the 192.168.2.0 network can access the ASA 5510 to the Internet.
Now I connected a Cisco ASA 5505 to the 192.168.2.0 network with outside address of 192.168.2.1 and inside
address of 192.168.3.1. How do I create a VPN tunnel between 192.168.3.1 and 192.168.1.1?
Your help is greatly appreciated! please show the commands to configure it on both ASAs. Thanks again!
David is not very clear to me how you have the connection because the 192.168.2.0 goes out through the 5510 but it's also connected to the 5505 and you want a tunnel between both ASAs?
Could you please post a simple drawing to understand it better?
Hi Fererico, thanks for replying.
Here is the simple diagram. Hope you understand.
I want to create an IPSec VPN tunnel between the
two 192.168.3.1 and 192.168.1.1. Thanks.
You want to establish the IPsec tunnel between IPs 192.168.2.1 and 192.168.1.1?
This will build a tunnel between the inside interface of the 5510 and the outside interface of the 5505.
Which traffic do you want to send through the tunnel? Meaning which subnets?
Yes it's possible it's just not a normal situation.
We can help you out with the commands, just let us know which traffic is that you want to encrypt and send through this tunnel.
Frederico, Thanks for replying.
I want the traffic to be encrypted on the ASA 5505 side, for the 192.168.3.0 network.
Yes, it is an unusual situation and challeging too.
When you want to set up an IPsec tunnel is because you want to encrypt the communication between two devices.
In this case both ASAs.
So... we are clear that you want to encrypt the 192.168.3.0/24 on the 5505 side.
But... which network do you want to encrypt on the 5510 side?
Can it be encrypted between 192.168.3.0 and 192.168.1.0?
192.168.1.0 is on the ASA 5510 side.
David the problem is this...
192.168.3.0 --- ASA 5505 --- router --- router --- 192.168.1.0 --- ASA 5510 --- outside/Internet
If configuring a VPN tunnel between both ASAs it will be to communicate the 192.168.3.0 with the outside/Internet of the 5510.
If you want to send the 192.168.1.0 through the tunnel, I guess you can do that if you redirect the 192.168.1.0 to the ASA when going to 192.168.3.0 forcing this traffic to be encrypted.
There's no problem with the 192.168.3.0 and with the ASA 5505
The problem is with the 5510 because you want to encrypt the network that is connected to the interface where the tunnel is going to be established.
Is the 5510 the default gateway for the 192.168.1.0 network?
Two gateways are co-existing for the 192.168.1.0 network, 192.168.1.1 for the ASA 5510 and
192.168.1.254 for the Adtran router. Computers in the 192.168.1.0 network can use either gateways
to access the Internet.
As for the 192.168.2.0 network, computers in this network use 192.168.2.254 as the gateway address
to access the Internet. If a computer in this network wants to connect a computer in the 192.168.1.0
network, a persistent route for the gateway of 192.168.1.254 need to be added to the route table of the
192.168.1.0 network computer. for example:
Network Address Netmask Gateway Address Metric
192.168.2.0 255.255.255.0 192.168.1.254 1
I want to thank you for your input.
I conclude that it's not a good idea to create an IPsec VPN tunnel
within the same network.
I have one more question. Can we create a vpn tunnel without
data encryption? Sound like to defeat the purpose of VPN.
You can create a VPN without encryption.
If you use IPsec as the protocol for VPN, then the traffic will be encrypted (however you can disable ESP on the transform-set for phase 2 and the traffic will not be encrypted then).
You can use other VPN protocols like GRE for example which will not encrypt the traffic (will only encapsulate).
The ASA will only support IPsec and not GRE however.