Cisco Support Community
Community Member

Layer 2 Tunneling via a Site to Site VPN between two ASA5505

Dear all,

I got a problem with two ASA5505.

I have to connect two remote sites using an IPSec Tunnel (Site to Site VPN). The devices to be used are two Cisco ASA 5505. They have already been connected to the internet and configured and they can see and ping each other via the “outside” interface.

The point is that both networks behind the ASAs (inside interface) have to have the same network address band (Layer 2 Tunneling).

From my experience with the routers and switches, I know that using normal routers it is possible to establish these kind of Layer 2 connections (with xconnect). I already did that several times. The problem is that I never had to do anything with the Cisco ASA Firewalls. 

Is it possible to do this? I have searched a lot and i fear it won't be possible.... :-(

Should it not be possible to do this L2T connection, is somehow possible to configure both ASAs one as VPN Server and the other as VPN Client so that they establish a 'L2TP over IPSec' connection? 

Thanks a lot for your help!

Everyone's tags (1)

Hi, If you want to have both



If you want to have both the identical LAN subnets to work with Site to Site tunnel.... You have to do that with NATing on both the ends and encryption tunnel should be with NATed Segment.....

Refer the below link of my blog spot and see if that helps


Correct me if my understanding is wrong.....




Community Member

Hi, thanks for your answer.



thanks for your answer.


However I do not understand your example. Which ASA version are you using? Mine is 8.2.

Both Routers (acting as hosts) have the same IP Address. Hence when you ping from HostA to you will be pinging yourself (localhost)

Also, in the diagram you do not show these networks:

object network natlan
object network endsitelan




Hi, I explain with a detailed



I explain with a detailed steps here.....


site A - LAN - (Real IP Address)

Site A - NAT - /24 ( NAT IP Subnet for in Site A)

Site B - LAN - (Real IP Address)

Site B - NAT - /24 ( NAT IP Subnet for in Site B)


So instead of creating an crypto encryption domain between 2 sites with to you are creating here with to


in this from site A - host.... if you want to ping @ site B.... You will be pinging to ( NAT IP).... so when it traverses and hits the FW it will get translated to same way vice versa....


so you do not need to change the ip address in real..... you are changing it with NAT and access that through a NAted IP segment...





Community Member

Thanks a lot for the

Thanks a lot for the explanation! I will try it later!


Wich ASA Version are you using?

Mine is 8.2. Hence I am not able to use following command:

nat (inside,outside) source static inlan natlan destination static endsitelan endsitelan no-proxy-arp




Hi , I am using ASA 8.4

Hi ,


I am using ASA 8.4 version.... If you are using 8.2 version.... then you need to use something like the below....


access-list s2snat permit ip


nat (inside) 2 access-list s2snat

global (outside) 2 netmask




Community Member

Thank you very much!

Thank you very much!

Community Member

Hi Karthik, I have another

Hi Karthik,


I have another question. Even though your example would permit to have the same IP Band on both sides, it would rely on an intermediate Layer 3 connection. Am I right?

Therefore a simple Layer 2 communication (e.g. Spanning Tree or LLDP frames) between both sides would not be forwarded.  Right?


Thanks again!

CreatePlease to create content