I have two ASA 5505 on two different locations(main office and remote office) and I need the remote office to be in the same subnet as the main office since they move computers betweend the offices and they have fixed IP addresses on those computers and they have no right to cahnge to dhcp mode when they move to remore office.
Is it possible to create like a bridge over the VPN tunnel so it extens the LAN ?
please see if this link helps..
Yes and no for the above docuement.
But if I do that configuration then the user on the remote office need to use another ip address when accessing a server on the main office, and taht will not work, how can I get a user to anderstand that if he needs access to a server he need to use one ip-address when he is on the main office but if he are visiting the remote office and still need to use recources on the same server then he suddenly need to use other ip address ?!
At least that is how I read that configuration exampel to work.
It must be a real "bridge" tunnel.
Please anyone, help....... I need to get this fixed today !!!
So you mean that I just configure the remote office to use the same LAN subnet as main office and then just create a VPN tunnel as normal between both firewalls and then it will work ?!
yup... but slightly different...by using nat
for example translate IPs of main office to 184.108.40.206 network and translate IPs of remote office to 220.127.116.11 .Make 18.104.22.168 and 22.214.171.124 as interesting traffic (traffic to be encrypted)
Well they (not me) have decided for some reason that they will not use DHCP, I woudl also go for that but I can not convinse the deciding people to cahnges this thereor I am stuck wiht this.
And I also ahve delicate problem more after i have this working, the main office firewall (LAN def GW) is not one of this ASA firewalls it is another brand of firewall, so I dont really know if this will work anyway, maybe someone can tell me that ?
Hi, yes I have read it and lookt at it but have nto had the time to test anything beacause of other emergency work today.
But do you have any good sampel config for me so I have something to start from ? I am really not a guru when it comes to IOS/ASA configs.
it will not work. as requests from the hosts will not reach the gateway. After all queries are addressed to recipients on the same network segment. And search for addresses will be made at the MAC table on the switch.
If I create it as a normal tunnel and use a different subnet for the remote office and then reate a static route in the main office firewall that points the remote office subnet via the ASA firewall, will that work ?
This scheme will work if the subnet in the offices will be different, but for the fact that the hosts can move from one office to another without having to manually change the IP address - you need to enable DHCP in both offices.
Good, or they have to use dixed ip addresses in main office and then change settings when goin to remote office, but that will or course cause other "user" problem.
I must talk to the repsonible people and try to get them use dhcp instead.
but would i be possioble to use the original "question"/solution to create the tunnel with ASA in remote office and terminate the "bridged" tunnel in the main office Firewall-1 ? or must it be a ASA in both ends to get the "bridged" scenario to work ?
Of couers this is a question aslo for Firewall-1 - people to answer.
Which firewall is used in the main office?
better if it is ASA, but you can connect with other vendors. I put together using IPSec ASA, ISR and Microsoft TMG (TMG does not work very stably with third-party equipment, in this case сisсo). I think other vendors have to connect to the ASA. But how they will work hard to say. The best option, if the tunnel will be used by one vendor equipment.