Thank you very much!

fvalpondi · ‎09-03-2014

Dear all,

I got a problem with two ASA5505.

I have to connect two remote sites using an IPSec Tunnel (Site to Site VPN). The devices to be used are two Cisco ASA 5505. They have already been connected to the internet and configured and they can see and ping each other via the “outside” interface.

The point is that both networks behind the ASAs (inside interface) have to have the same network address band (Layer 2 Tunneling).

From my experience with the routers and switches, I know that using normal routers it is possible to establish these kind of Layer 2 connections (with xconnect). I already did that several times. The problem is that I never had to do anything with the Cisco ASA Firewalls.

Is it possible to do this? I have searched a lot and i fear it won't be possible.... :-(

Should it not be possible to do this L2T connection, is somehow possible to configure both ASAs one as VPN Server and the other as VPN Client so that they establish a 'L2TP over IPSec' connection?

Thanks a lot for your help!
Fabio

nkarthikeyan · ‎09-04-2014

Hi,

If you want to have both the identical LAN subnets to work with Site to Site tunnel.... You have to do that with NATing on both the ends and encryption tunnel should be with NATed Segment.....

Refer the below link of my blog spot and see if that helps

http://cuckoonetworks.blogspot.com/2014/08/site-to-site-vpn-cisco-asa-identical.html

Correct me if my understanding is wrong.....

Regards

Karthik

fvalpondi · ‎09-04-2014

Hi,

thanks for your answer.

However I do not understand your example. Which ASA version are you using? Mine is 8.2.

Both Routers (acting as hosts) have the same IP Address. Hence when you ping from HostA to 10.0.0.10 you will be pinging yourself (localhost)

Also, in the diagram you do not show these networks:

object network natlan
subnet 192.168.1.0 255.255.255.0
object network endsitelan
subnet 192.168.2.0 255.255.255.0

Regards,

Fabio

nkarthikeyan · ‎09-04-2014

Hi,

I explain with a detailed steps here.....

site A - LAN - 10.0.0.0/24 (Real IP Address)

Site A - NAT - 192.168.1.0 /24 ( NAT IP Subnet for 10.0.0.0/24 in Site A)

Site B - LAN - 10.0.0.0/24 (Real IP Address)

Site B - NAT - 192.168.2.0 /24 ( NAT IP Subnet for 10.0.0.0/24 in Site B)

So instead of creating an crypto encryption domain between 2 sites with 10.0.0.0 to 10.0.0.0.... you are creating here with 192.168.1.0/24 to 192.168.2.0/24.....

in this from site A - 10.0.0.10 host.... if you want to ping 10.0.0.10 @ site B.... You will be pinging to 192.168.2.10 ( NAT IP).... so when it traverses and hits the FW it will get translated to 10.0.0.10.... same way vice versa....

so you do not need to change the ip address in real..... you are changing it with NAT and access that through a NAted IP segment...

Regards

Karthik

fvalpondi · ‎09-04-2014

Thanks a lot for the explanation! I will try it later!

Wich ASA Version are you using?

Mine is 8.2. Hence I am not able to use following command:

nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp

Regards,

Fabio

nkarthikeyan · ‎09-04-2014

Hi ,

I am using ASA 8.4 version.... If you are using 8.2 version.... then you need to use something like the below....

access-list s2snat permit ip 10.0.0.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 2 access-list s2snat

global (outside) 2 192.168.1.0 netmask 255.255.255.0

Regards

Karthik

fvalpondi · ‎09-04-2014

Thank you very much!

fvalpondi · ‎09-04-2014

Hi Karthik,

I have another question. Even though your example would permit to have the same IP Band on both sides, it would rely on an intermediate Layer 3 connection. Am I right?

Therefore a simple Layer 2 communication (e.g. Spanning Tree or LLDP frames) between both sides would not be forwarded. Right?

Thanks again!

Layer 2 Tunneling via a Site to Site VPN between two ASA5505