Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

single-interface ASA L2L VPN

Hi all,

is it possibile to use an ASA 5505 as a single-interface (inside only) L2L VPN endpoint?

Customer has a simple LAN, with a gateway to the Internet. I'm allowed to install a 5505 to VPN on his LAN, no more. The idea is that the 5505 does L2L to the at the central site (running a 5520) and on the clients and explicit route is set to via the ASA (which has a fixed address on the customer's LAN).

Will it work? the 5505 sends out IKEv1, NAT-T and stuff, but gets no reply, as nothing arrives on the 5520.

Connectivity to the 5520 is working, as I can AnyConnect and EasyConnect to it from the same LAN (with my PC and another 5505 with regular inside and outside, of course).


As a plus, but only to be implemented once the VPN works, I would like to later NAT the customer's LAN in order to present it to the central site as something more coherent with our numbering plan. I've done it before, but not with a single interface. Any caveats?


Please advise. Thank you very much.


Hi,Do you mean to say that


Do you mean to say that ASA 5505 @ customer site will have only single interface? Just you will ve having inside interface alone.... no other interfaces configured and you want to make the L2L connection from central site to customer site using single interface @ one end? All you need is the traffic from the central site should reach customer site and you want to have in and out through the same interface?


Please clarify more with your requirement.




Community Member

This is the idea: Customer:  

This is the idea:




 |PCs|  |ASA|   |customer's GW|------internet------|my ASA|

   |      |       |                                    |

---+------+-------+---                              ---+-----                             


Let's say PC is, ASA is the 5505 with host part=16, customer's GW is 254.

PC's default gw is .254, with an explicit route for that's .16

The 5505 only has one interface,, and default gw

Obviously the 5505 will do NAT-T as it's NATted by so the L2L connection must be initiated by the 5505, not the central site.

The connection is initiated, I can see packets for centralsite:500 going out the 5505 (i sniff them on the gateway) but nothing arrives at the centralsite, which is weird to say the least.


Any ideas?


Community Member

OK, I am a total idiot.I had

OK, I am a total idiot.

I had the wrong default gw set on the 5505. Unbelievable. It works perfectly now.


CreatePlease to create content