Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

L2L tunnel btwn two sites. Can I initiate L2L on Sub-interface?

Can I initiate L2L IPSec tunnel with below configuration? Or Can I use the external IP address to established (remote peer) IPSec L2L tunnel without physically assigning to the outside interface? Right now outside interface is private facing ISP. I don’t have the leverage to add router. Please let me know how and if below example configuration can meet my situation. The sub-interface IP address will be connecting to the ISP from the ASA 5520 firewall. My PPP link between the two sites is going under maintenance for long time. Thank you in advance!

Example:

interface GigabitEthernet0/0

description untrusted link

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.5

description untrusted link

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end.

Or

interface GigabitEthernet0/0

no shut

interface GigabitEthernet0/0.5

description untrusted link

encapsulation dot1Q 5

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.10

description untrusted link

encapsulation dot1Q 10

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end.

Thanks,

Eric

1 ACCEPTED SOLUTION

Accepted Solutions

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Eric,

If the ASA has a private IP, you can terminate the L2L on the public IP (of the router in front) and create a 1-1 STATIC NAT. In this way, VPN traffic will be sent through the ASA.

Another option (I have not done it, but I think it should work) is terminating the VPN on the subinterface of the ASA. As long as the IP is routable and reachable it should work.

Federico.

5 REPLIES
New Member

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Federico,  any advice on this config?

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Hi Eric,

If I understand correctly, you want to terminate the L2L on the ASA.

You want to terminate the tunnel on the IP address of the outside interface? Or you want to terminate the tunnel on a subinterface IP?

Either way you should be able to do it, since you can enable ISAKMP and apply the crypto map on both physical interface or subinterface.

What's exactly the issue that you're facing?

Federico.

New Member

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Thank you Federico, My firewall is directly connected to ISP via 10.1.10.2 on outside interface.

Now, since this is non routable IP address on my outside interface facing ISP; I wanted to create sub-interface on the outside and assign routable IP address 191.161.4.1 to it. I wanted to make sure that I can establish IPSec L2L tunnel via the web. Inside is 172.16.10.0/24

Thanks,

Eric

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Eric,

If the ASA has a private IP, you can terminate the L2L on the public IP (of the router in front) and create a 1-1 STATIC NAT. In this way, VPN traffic will be sent through the ASA.

Another option (I have not done it, but I think it should work) is terminating the VPN on the subinterface of the ASA. As long as the IP is routable and reachable it should work.

Federico.

New Member

Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Ok great, I will go with the sub-interface configuration.  The router in front of my firewall is managing by the ISP and sharing the same public IP address with many customers. Thank you so much Federico!

384
Views
0
Helpful
5
Replies
CreatePlease to create content