cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6391
Views
0
Helpful
18
Replies

Lan-to-LAN tunnel as a bridge

mannercorp
Level 1
Level 1

Hi !

I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office.

Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?

/Johan

18 Replies 18

mvsheik123
Level 7
Level 7

mannercorp
Level 1
Level 1

Hi !

Yes and no for the above docuement.

But if I do that configuration then the user on the remote office need to use another ip address when accessing a server on the main office, and taht will not work, how can I get a user to anderstand that if he needs access to a server he need to use one ip-address when he is on the main office but if he are visiting the remote office and still need to use recources on the same server then he suddenly need to use other ip address ?!

At least that is how I read that configuration exampel to work.

It must be a real "bridge" tunnel.

Please anyone, help....... I need to get this fixed today !!!

/Johan

Hi,

You can use nat ...

Hi!

How ? some kind of double NAT ?

exampel !

/Johan

For example make tunnel between 150.1.1.10 and 200.1.1.20 and nat inside addresses to respective public IPs

HI !

So you mean that I just configure the remote office to use the same LAN subnet as main office and then just create a VPN tunnel as normal between both firewalls and then it will work ?!

/JOhan

yup... but slightly different...by using nat

for example translate IPs of main office to 20.1.1.0 network and translate IPs of remote office to 30.1.1.0 .Make 20.1.1.0 and 30.1.1.0 as interesting traffic (traffic to be encrypted)

Johan,

Did you go thru the link? That exactly deals with your case.

Thx

MS

Why you can’t use DHCP for users in all offices? It will resolve all your problems with static IP's.

Well they (not me) have decided for some reason that they will not use DHCP, I woudl also go for that but I can not convinse the deciding people to cahnges this thereor I am stuck wiht this.

And I also ahve delicate problem more after i have this working, the main office firewall (LAN def GW) is not one of this ASA firewalls it is another brand of firewall, so I dont really know if this will work anyway, maybe someone can tell me that ?

/Johan

Hi, yes I have read it and lookt at it but have nto had the time to test anything beacause of other emergency work today.

But do you have any good sampel config for me so I have something to start from ? I am really not a guru when it comes to IOS/ASA configs.

/Johan

it will not work. as requests from the hosts will not reach the gateway. After all queries are addressed to recipients on the same network segment. And search for addresses will be made at the MAC table on the switch.

If I create it as a normal tunnel and use a  different subnet for the remote office and then reate a static route in the main office firewall that points the remote office subnet via the ASA firewall, will that work ?

/Johan

This scheme will work if the subnet in the offices will be different, but for the fact that the hosts can move from one office to another without having to manually change the IP address - you need to enable DHCP in both offices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: