There's a mobile version of our website.
Please note the following question --> what is "triple redundant endpoints"?
Here is the scenario
- support company needs to VPN to specific LAN on my network
- provided the support company with 172.16.2.0/24
- support company says they cannot use that subnet because they are using the same subnet connection to another company
- (not sure why they can't use it since its a seperate VPN, but whatever)
- the entire 172.16.31.0 /24 is being used by my company
- so the support company states "create new L2L connection between the triple redundant endpoints and my FW"
- Can someone elaborate on the above or at least suggest another solution?
- Like what else could I do to provide VPN access for the support company to specific servers on my LAN that does not disrupt
my IP schema.
I would really appreciate any help with this.
I got to admit I have never even heard anyone use the term "triple redundant endpoints"
My first reaction was ->
I'd imagine it might be possible to configure more than 1 peer IP address for the L2L VPN connection. I have never really checked how it works
On to the topic,
Do you mean you have the local network 172.16.2.0/24 network the support company has to reach? If thats the case then the overlapping networks aint a problem. You can NAT the whole network to some other private address range /24 network before the traffic enters the new L2L VPN tunnel.
Also to even help you abit I would need to know:
answer --> ASA 5520
answer --> ver 8.3
answer --> DH Grp2, 3DES, SHA (phase 1 and 2) and PFS
Hope that answers your question. Thank you very much for your help with this and I am glad I am not the only one that has not heard of "triple redundant endpoints"
Your ASA L2L VPN configuration might look something like this:
object network L2LVPN-LOCAL-LAN
subnet <network address> <mask>
object network L2LVPN-NAT-LAN
subnet <nat network address> <mask>
object network L2LVPN-DESTINATION
subnet <remote network address> <mask>
nat (inside,outside) source static L2LVPN-LOCAL-LAN L2LVPN-NAT-LAN destination static L2LVPN-DESTINATION L2LVPN-DESTINATION
access-list L2L-VPN-CONNECTION-TRAFFIC permit ip object L2LVPN-NAT-LAN object L2LVPN-DESTINATION
crypto ikev1 policy 10
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map <cryptomap name> 1 match address L2L-VPN-CONNECTION-TRAFFIC
crypto map <cryptomap name> 1 set peer <peer IP address>
crypto map <cryptomap name> 1 set ikev1 transform-set ESP-3DES-SHA
crypto map <cryptomap name> 1 set pfs 2
crypto map <cryptomap name> 1 set reverse-route
crypto map <cryptomap name> interface outside
crypto ikev1 enable outside
group-policy L2LVPN-GROUP-POLICY internal
group-policy L2LVPN-GROUP-POLICY attributes
tunnel-group <peer IP address> type ipsec-l2l
tunnel-group <peer IP address> general-attributes
tunnel-group <peer IP address> ipsec-attributes
ikev1 pre-shared-key <the PSK/password>
Might have forgotten something but should be about it. Just need to make sure the Phase1 and Phase2 parameters match
Also you need to make sure that the traffic from the remote network is allowed to the hosts you want them to access.
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion