Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

single-interface ASA L2L VPN

Hi all,

is it possibile to use an ASA 5505 as a single-interface (inside only) L2L VPN endpoint?

Customer has a simple 192.168.1.0/24 LAN, with a gateway to the Internet. I'm allowed to install a 5505 to VPN on his LAN, no more. The idea is that the 5505 does L2L to the 10.0.0.0/8 at the central site (running a 5520) and on the clients and explicit route is set to 10.0.0.0/8 via the ASA (which has a fixed address on the 192.168.1.0/24 customer's LAN).

Will it work? the 5505 sends out IKEv1, NAT-T and stuff, but gets no reply, as nothing arrives on the 5520.

Connectivity to the 5520 is working, as I can AnyConnect and EasyConnect to it from the same LAN (with my PC and another 5505 with regular inside and outside, of course).

 

As a plus, but only to be implemented once the VPN works, I would like to later NAT the customer's LAN in order to present it to the central site as something more coherent with our numbering plan. I've done it before, but not with a single interface. Any caveats?

 

Please advise. Thank you very much.

3 REPLIES

Hi,Do you mean to say that

Hi,

Do you mean to say that ASA 5505 @ customer site will have only single interface? Just you will ve having inside interface alone.... no other interfaces configured and you want to make the L2L connection from central site to customer site using single interface @ one end? All you need is the traffic from the central site should reach customer site and you want to have in and out through the same interface?

 

Please clarify more with your requirement.

 

Regards

Karthik

Community Member

This is the idea: Customer:  

This is the idea:

 

Customer:

 

 |PCs|  |ASA|   |customer's GW|------internet------|my ASA|

   |      |       |                                    |

---+------+-------+---                              ---+-----

192.168.1.0/24                                       10.0.0.0/8

 

Let's say PC is 192.168.1.100/24, ASA is the 5505 with host part=16, customer's GW is 254.

PC's default gw is .254, with an explicit route for 10.0.0.0/8 that's .16

The 5505 only has one interface, 192.168.1.16, and default gw 192.168.1.254.

Obviously the 5505 will do NAT-T as it's NATted by 192.168.1.254 so the L2L connection must be initiated by the 5505, not the central site.

The connection is initiated, I can see packets for centralsite:500 going out the 5505 (i sniff them on the gateway) but nothing arrives at the centralsite, which is weird to say the least.

 

Any ideas?

 

Community Member

OK, I am a total idiot.I had

OK, I am a total idiot.

I had the wrong default gw set on the 5505. Unbelievable. It works perfectly now.

Sorry.

47
Views
0
Helpful
3
Replies
CreatePlease to create content