Asa vpn ip question

Hi all,
I feel like this is a dumb question, but I can't seem to find the documentation fitting my scenario on cisco. I can setup VPN without any problems. My issue though is that, all the configuration examples rely on the outside interface IP as the "PEER IP" in L2L or target IP in RA. Is there any special configuration needed to use a public IP other that my outside interface?
Example:
outside interface (ASA) ip 1.1.1.1
L2L vpn ip 1.1.1.2
RA vpn ip 1.1.1.3
Gateway ip 1.1.1.4
I want to use 1.1.1.2 and 1.1.1.3 in my ASA configuration instead of using the outside interface, but im unsure as to where I define this parameter.....
Any suggestions using this example?
Tia,
Fred

Fred, you are right in stating all docs pertaining to l2l vpn points to outside interface as it is the most commonly setup scenario. I am not aware you could do what you are trying to do using a different IP as your vpn termination point instead of the actual IP address of the interface, if there is a was Im willing to learn it.
You could however, not that I have tried it but will see if I could simulate this at some point in future would be to have three outside subinterfaces one sub for L2l 1.1.1.2 end termination point, one sub RA 1.1.1.3 and your outside physical with 1.1.1.1 . This is Just a thought , perhaps we could see some other comments.
Rgds
Jorge

Similar Messages

Yet Another ASA VPN Licensing Question :)

I have a pretty good understanding of ASA VPN concepts, but not sure about this scenario. Two questions regarding 5525 VPN SSL Anyconnect Premium Licensing.
1. Assuming we already own a ASA 5525-x with 750 Anyconnect Essentials and Mobile ( p/n ASA5525VPN-EM750K9 ) and want the ability for 200 Clientless (Anyconnect Premium) VPN connections, including mobile devices, what part number do I need?
2. Assuming we do not yet own a ASA5525, but want the same 200 clientless VPN connections plus mobile device connectivity, what part number do I need? I'm assuming this is correct >> ASA5525VPN-PM250K9
Thanks!

It's no problem - I sometimes look for an answer to a question myself and find my own 2 year old post explaining the answer. As long as I don't find my 2 week old answer, I'm OK with that. :)
Anyhow, no there's not a SKU to upgrade Essentials to Premium. All the Premium upgrade SKUs are between Premium licensed user tiers (10-25, 25-50, 50-100 etc.).
If you're a persuasive customer and make a strong case with your reseller they may be able to get a deal with Cisco outside the normal channels to get some relief as a customer satisfaction issue. That's very much a case by case thing though and not the normal fulfillment method.

Cisco ASA -VPN Ping Question

Hey guys, I have a Cisco ASA 5505 8.4 I have a Remote Access VPN up and working...for the most part. When I VPN in I would like to be able to access our Mitel phone manager which is just a internal IP you put in the browser. Here is the issue when I am connected I can't ping the address of 10.0.0.250. But I can ping my other servers 10.0.0.2 and 10.0.0.3. Why can I ping some address but not others.
Thanks
Nick

Hi,
Are you saying that the ASA replaced the previous device that acted as the default gateway for the phone system? And also the IP address was changed and this was not taken into consideration on the phone systems network configurations?
This would indicate that the problem is with the phone system having the old gateway IP address configured and it doesnt know where to forward the traffic that is coming from a different network (for which it would require the correct default gateway)
If the internal network that can ping and access the phone system means the hosts that are on the same internal network with the phone system (10.0.0.x) then this is expected as the default gateway is not needed between the hosts in the same network as they communicate directly.
So would be the problem now simply be with the default gateway IP set on the phone system.
- Jouni

ASA vpn nat question

i have an ASA 5520 ver 8.4 with the following config
WAN
207.211.25.34
Production
10.11.12.1 255.255.255.0
Mgmt
10.11.11.1 255.255.255.0
i need to create a peer-2-peer VPN to a remote site ASP16 from both Prod and Mgmt
what would my nat statement look like ?
currently i have the following but can only ping from Mgmt not Prod (ASP17 is an network object group that contain the Prod and Mgmt subnets )
nat (Production,WAN) source static ASP17_VPN ASP17_VPN destination static ASP16 ASP16 no-proxy-arp route-lookup
nat (Mgmt,WAN) source static ASP17_VPN ASP17_VPN destination static ASP8_Prod ASP8_Prod

Hello Tejas,
After reading your configuration I can see that the crypto-maps are applyed to the outside interface, and the Access-list for the interesting traffic has both networks (Managment and production) so you should be able to access the other network from this site.
Can you do the following packet tracers to see the features the ICMP packet is hitting when the Request is sent.
I will need the output of the following commands:
1- Packet-tracer input Mgmt icmp 10.11.34.15 8 0 10.30.6.15
2-Packet-tracer input Production icmp 10.11.35.15 8 0 10.30.6.15
Please rate helpful posts,
Julio!!

ASA VPN client question

Hello.
I have a question about a connection between an asa5505-sec-bun-k9 (that acts as Easy VPN client) and a EASY VPN server.
The connection with the Easy VPN server is OK but I cannot more connect to internet and create VPN connections to my ASA5505 when I enable the feature.
Is this a normal condition with Easy VPN Client enabled?

u need to do split tunneling on ur vpn server and apply it to the vpn client config on the vpn server that encypt only traffic destined to the server side pravite network
lets say the private network behind the vpn server is 192.168.1.0/24
so make a standard ACL
access-list split standard permit 192.168.1.0 255.255.255.0
group-policy [ur grop policy name] attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
then when u connect from the easy client only traffic to 192.168.1.0 will go through the tunnel other traffic will not be part of encrypted traffic
good luck
Rate if helpful

ASA VPN configuration question

I am trying to configure a VPN tunnel to a remote 3rd party site from an ASA. I have set up a new tunnel group
But it seems to be trying to use the DefaultRAGroup and then the Defaultl2lGroup one. What do I need to do to ensure it uses the new one I have set up ?

The name of the tunnel-group has to be the ip address of the remote gateway. With that, the ASA can match the IPsec packets to the correct tunnel-group.

ASA VPN QUESTION

Hi All
The question is pretty simple. I can successfully connect to my ASA 5505 firewall via cisco vpn client 64 bit , i can ping any ip address on the LAN behind ASA but none of the LAN computers can see or ping the IP Address which is assigned to my vpn client from the ASA VPN Pool.
The LAN behind ASA is 192.168.0.0 and the VPN Pool for the cisco vpn client is 192.168.30.0
I would appreciate some help pls
Here is the config:
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password J7NxNd4NtVydfOsB encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.0.11 EXCHANGE
name x.x.x.x WAN
name 192.168.30.0 VPN_POOL2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address WAN 255.255.255.252
interface Ethernet0/0
switchport access vlan 2
<--- More --->
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
boot system disk0:/asa724-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list nk-acl extended permit tcp any interface outside eq smtp
access-list nk-acl extended permit tcp any interface outside eq https
access-list customerVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_POOL2 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list VPN_NAT extended permit ip VPN_POOL2 255.255.255.0 192.168.0.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL2 192.168.30.10-192.168.30.90 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list VPN_NAT outside
static (inside,outside) tcp interface smtp EXCHANGE smtp netmask 255.255.255.255
static (inside,outside) tcp interface https EXCHANGE https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group nk-acl in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.16 community public
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client client-id interface outside
dhcpd dns 217.27.32.196
dhcpd address 192.168.0.100-192.168.0.200 inside
dhcpd dns 192.168.0.10 interface inside
dhcpd enable inside
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
smartcard-removal-disconnect enable
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy customerVPN internal
group-policy customerVPN attributes
dns-server value 192.168.0.10
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value customerVPN_splitTunnelAcl
default-domain value customer.local
username xxx password 8SYsAcRU4s6DpQP1 encrypted privilege 0
username xxx attributes
vpn-group-policy TUNNEL1
username xxx password C6M4Xy7t0VOLU3bS encrypted privilege 0
username xxx attributes
vpn-group-policy PAPAGROUP
username xxx password RU2zcsRqQAwCkglQ encrypted privilege 0
username xxx attributes
vpn-group-policy customerVPN
username xxx password zfP8z5lE6WK/sSjY encrypted privilege 15
tunnel-group customerVPN type ipsec-ra
tunnel-group customerVPN general-attributes
address-pool VPN_POOL2
default-group-policy customerVPN
tunnel-group customerVPN ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:a4dfbb82008f78756fe4c7d029871ec1
: end
ciscoasa#

Well lots of new features have been hinted at for ASA 9.2 but I've not seen anything as far as an Engineering Commit or Customer Commit for that feature.
Site-site VPN in multiple context mode was added in 9.0(1) and I have customers have been asking for the remote access features as well.
I will remember to ask about that at Cisco Live next month.

ASA IPsec Remote Access VPN | NAT Question

We have a situation where a company that needs remote VPN access to our network is having an IP conflict with our subnet. I know this is a common issue and can often be resolved on the client side by changing the metirc on the network interface, but I am looking for a better solution on our end so I do not have to suggest workarounds.
Part of the problem is likely that our subnet is "too big", but I'm not going to be changing that now.
We are using 10.0.0.0/24 and the remote is using 10.0.11.0/24 and 10.1.0.0./16
I played around with some NAT rules and feel that I am missing something I am looking for suggestions, please.
Thank you.

Hi,
This depends on your ASA firewalls software version and partly on its current NAT configurations.
I presume the following
Interfaces "inside" and "outside"
VPN Pool network of 10.10.100.0/24 (or some 192/172 network)
Software 8.2 and below
access-list VPN-POLICYNAT remark Static Policy NAT for VPN Client
access-list VPN-POLICYNAT permit ip 10.0.0.0 255.255.255.0 10.10.100.0 255.255.255.0
static (inside,outside) 192.168.10.0 access-list VPN-POLICYNAT
Key things to keep in mind with this software level is that if any of our internal hosts on the network 10.0.0.0/24 also have a "static" configuration that binds their local IP address to a public IP address then you might have to insert the above configuration and then remove the original "static" command and enter it back again.
This will change the order or the "static" commands so that the original "static" command wont override this new configuration as they are processed in order they are inserted to the configuration. The remove/add part is just to change their order in the configuration
Software 8.3 and above
object network LAN
subnet 10.0.0.0 255.255.255.0
object network LAN-VPN
subnet 192.168.10.0 255.255.255.0
object-group network VPN-POOL
subnet 10.10.100.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN-VPN destination static VPN-POOL VPN-POOL
In the above configuration we do the same as in the older software versions configuration but we have the number "1" in the "nat" configuration which places it at the very top of your NAT configurations and therefore it applies. No need to remove any existing configuration and enter them again like in the old software
In addition to the above NAT configuration you naturally have to make sure that the traffic to the NATed LAN network goes to the VPN. So if using Split Tunnel the NAT network needs to be added to the VPN ACL. If using Full Tunnel then naturally everything should already be coming through the VPN. I imagine though that you are using Split Tunnel, or?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni

VPN License question on 5505 ASA Firewall

Inherited a firewall project, it's getting a VPN running on a ASA 5505 Firewall for remote workers. Firewall was configured by someone else who isn't available.
Basic question on the License: The current license is good for 2 SSL VPN Peers, and 20 "Total VPN Peers". Can anyone elaborate on "Total VPN Peers"? Can I configure Clientless SSL VPN connections, or do I need to go IPSec to get the 20 VPN sessions?
Thank you in advance,
Jeff

Hi Linda,
The default IKE SA lifetime is 86,400 seconds and the default IPSEC SA lifetime is 28,800 seconds. However, these values are configurable so you'll need to check your 5505 configuration to answer these questions. You can look at the output of 'show run crypto' to see the configured values.
-Mike

Dual ISP on ASA VPN question.

Hi all.
My question is very simple is there any way or feature that could allow us to have a backup VPN tunnel on at the secondary ISP at the asa 5520?
Lets assume if the primary isp goes down is there any way for the VPN tunnel come online at the backup isp ?
Config:
crypto isakmp enable outside
crypto isakmp enable backup
tunnel-group 200.200.2.1 type ipsec-l2l
tunnel-group 200.200.2.1 ipsec-attributes
pre-shared-key CISCO
tunnel-group 200.200.1.1 type ipsec-l2l
tunnel-group 200.200.1.1 ipsec-attributes
pre-shared-key CISCO
crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto map VPN 10 match address VLAN121_TO_VLAN23
crypto map VPN 10 set peer 200.200.1.1
crypto map VPN 10 set transform-set 3DES_MD5
crypto map VPN 20 match address VLAN121_TO_VLAN23
crypto map VPN 20 set peer 200.200.2.1
crypto map VPN 20 set transform-set 3DES_MD5
! Apply crypto-map and enable VPN traffic to bypass ACLs
crypto map VPN interface outside
crypto map VPN interface backup
sysopt connection permit-vpn
Thank you.

We are not abble to make a loop back on the ASA.
The routing with SLA is working fine the problem is when local network goes to remote network always try to get at the first tunnel with was setup for first isp ip adddrs.

Cisco ASA VPN question: %ASA-4-713903: IKE Receiver: Runt ISAKMP packet

Dear community,
quite frequently I am now receiving the following error message in my ASA 5502's log:
Oct 17 12:52:17 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:22 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
Oct 17 12:52:27 <myASA> %ASA-4-713903: IKE Receiver: Runt ISAKMP packet discarded on Port 4500 from <some_ip>:<some_port>
The VPN Clients (in the last case: A linux vpnc) disconnect with message
   vpnc[7736]: connection terminated by dead peer detection
The ASA reports for that <some_ip> at around the same time:
Oct 17 12:52:32 <myASA> %ASA-4-113019: Group = blah, Username = johndoe, IP = <some_ip>, Session disconnected. Session Type: IPSecOverNatT, Duration: 2h:40m:35s, Bytes xmt: 2410431, Bytes rcv: 23386708, Reason: User Requested
A google search did not reveal any explanation to the "%ASA-4-713903: IKE Receiver: Runt ISAKMP packet..." message -- so my questions would be
   1) What does the message exactly mean -- I know runts as a L2 problem so I d suppose it means the same: The ISAKMP packet is somehow
       crippled (I d suppose this happens during rekeying) ?
   2) Any idea where to look for the cause of this
          WAN related (however I d assume no -- why does this happen in these regular time frames as show above)?
          SW related (vpnc bug)?
Thanks in advance for any pointer...
Joachim

Yes. You need to eliminate the things I've said to eliminate with the other side. Ensure your configs are matching exactly. They probably are, whatever, just make sure of it because it's easy. You both need to run packet captures on your interfaces both in and out to even begin to have an idea of where to look.
The more info you can have just one person responsible for the better. What I mean by that is, it's typically a nice step for the 'bigger end' to have the 'smaller end's' config file to look at.
If you are seeing packets come in your inside, leave your outside, and never make it to his inside, then take it a step at a time.
If you're seeing them come in his interface and never come back out, you know where to look.
Set your caps to a single host to single host if need be, and generate traffic accordingly.
You need to narrow down where NOT to look so that you know where TO look. I would say then, and only then, do you get the ISP involved. Once you're sure the problem exists between his edge device and your edge device.
I do exactly this for a living on a daily basis...day after day after day. I'm responsible for over 200 IPSec s2s connections and thousands of SSL VPN sessions. I always start the exact same way...from the very bottom.

Cisco ASA 5505 - 2 questions - VPN Licensing; Routing

Hi,
I have a client that has a Cisco ASA 5505 security appliance. Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN. The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users. 25 users is the max on this device I believe.
I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
The second question I have is routing capability. We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located. A Cisco 2851 is used for this connection. We are wanting to bring in a high speed Internet connection for the VPN access and Internet access. What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
Thanks!
--Kent

Hi Kent,
Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
Regards,
David Dunlap
SBSC Engineer

ASA 5510 VPN profiles question

Hi!
I wonder if it is possible to let users connect to our firewall with anyconnect ( vpn.customer.se ) and get three profiles from the droplist to chose from. One for economy,development and public. The three departments are located at different interfaces on the ASA. If they chose economy the login and get routed to the correct interface and network.
Cheers

Hi,
This should be possible.
I for example have 2 VPN Profiles/Groups on my home ASA
Regards to getting the different groups to show in the drop down menu of both the AnyConnect Client and the Web login I have enabled the following settings
webvpn
tunnel-group-list enable
tunnel-group VPN1 webvpn-attributes
group-alias VPN1 enable
tunnel-group VPN2 webvpn-attributes
group-alias VPN2 enable
Where
VPN1 and VPN2 are examples of 2 different VPN Client profiles / Tunnel Groups
VPN1 and VPN2 under the "webvpn-attributes" could be something totally different
The name configured here will show up in the drop down menu and can be different than the one configured as the name of "tunnel-group"
Examples screenshots of my browser and client login windows
Web
Client
- Jouni

ASA 5505 VPN configuration question

I have a asa 5505 v7.2(3) asdm 5.2(3) th I am trying to get reconfigured after our cable company was bought out and they replaced the cable modem with a router. My asa now has a non routable "10" address on the outside instead of one of the 5 statics I have assigned to me. I have natted my servers, but I cannot get my vpn clients connected. I am not sure how to get one of my statics assigned to the asa to use for the VPN tunnel. Used to be I just tunneled to the static "outside" address with my Cisco VPN clients (remote pc's). I tried assigning one of my statics to the outside, but then I had no connectivity at all since there is a router now before me, where it was just a modem before. I am used to working on larger pix's with my own IP address range, and not used to dealing with DHCP assigned outside addresses, so I am sure it is something simple I am missing. Any help would be greatly appreciated, this is for a small charity animal shelter, that has been down since the cable company made their "transparent change" when the bought another one out.
The ISP router has an interface with one of my static on the outside facing interface, and a 10 address on the interface directly connected to my ASA. The ISP router then assigns a 10 address to my outside interface on the ASA. I then have 192 addresses on my inside interfaces with statics for their servers. I am just not sure now how to connect my VPN clients since I do not have a routable outside address anymore. I have tried connecting to the static on the ISP hinking they might pass the packet, but they don't. I thought maybe a loopback could be assigned to the ASA, but could not see a way to do that. also the ethernet interfaces cannot have address assigned, only vlans, which there can only be two, and both are used (inside, outside) so I am out of ideas.
Thanks for any help
Thanks much

Hi Kevin
Your current design causes administrative overhead. You either need one-to-one mapping with outside int or a PAT which is forwarding UDP 4500 and TCP 10000 (may cause troubles in GRE)
Ask your ISP to configure the router in bridged mode and let your outside interface have the public IPs instead 10.x.x.x
Regards

ASA IPSEC VPN Design Question; ARP Between ASA

I"ve a requirement to put two ASA between two sites. The second site has hosts within the same network as the first site (conflict of fundamental routing principles). Can you put an ASA inline between the router and distribution switch at each site, setup an IPSEC VPN and not have issue? I thought we could have the distro switch terminate in the DMZ interface setup as a layer 2 interface in a vlan with a vlan int in the same network as the vlan int on the ASA DMZ interface on the ASA at the other site. Will this work? I guess the biggest concern is how to get layer 2 (arp) to work so hosts/servers can find each other between buildings and not get dropped on a layer 3 interface that doesn't see the distant network on a different egress interface.
Thanks!
Matt

Matt,
AFAIK - what you are describing is layer 2 tunneling, providing layer 2 networks from two speperate locations.
The only way I am aware of how to provide this - does NOT invlove ASA's or VPN's suing layer 3. You could do this over MPLS or a transparent layer 2 pt-pt circuit.
Perhaps another netpro has done this or knows how - I did hear of someone bridging thru a GRE tunnel, not sure if that is a viable option or actually works.
HTH>

Asa vpn ip question

Similar Messages

Maybe you are looking for