03-18-2020 11:43 AM
Hello All,
*Let me know if I should post this under a different category...
I'm wondering if it would be possible to setup some type of temporary VPN'like connection between 2 locations. One of our branches is moving to a new location. The private MPLS circuit won't be getting installed for quite some time, however we'll be having some local broadband installed prior to them moving to this new location.
So I'm wondering if there is anything we could do temporarily to setup a connection between the remote location and our HQ.
Remote Location has:
- 1 x ISR4321
- 1 x WS-C3650-48FD-S
HQ Location has:
- Lots of Cisco Gear. But most importantly, 2 x ASA5525
Is there anything we can do with the ASA and the ISR in the remote location to setup sometype of direct VPN-like connection so we can get their IP Phones up and running while we wait for the MPLS circuit to be installed?
Any thoughts or suggestions would be greatly appreciated!
Thanks in Advance,
Matt
03-18-2020 11:52 AM
Hi,
You could setup a VPN between the ISR and the ASA, either a VTI or traditional crypto map. You do need to be running ASA v9.7 or newer to configure a VTI.
Here are some examples VTI and Crypto Map.
HTH
03-18-2020 12:15 PM
03-18-2020 12:20 PM
In that case you can only setup a crypto map site to site VPN, you can use Asda wizard to set this up.
Does your ISR router have a public IP address or will it be natted behind the isp router? If natted behind the isp router you will need to setup port forwarding to your ISR routers IP address.
03-18-2020 12:34 PM
03-18-2020 12:40 PM
The ISR’s outside interface will have a private IP address, the isp router will port forward to this IP address.
03-18-2020 01:02 PM
Ok thank you.
In all of our Branch locations, I setup the ISP Router's LAN addressing to use 10.x.3.0 (*where x is the subnet for that particular branch).
On our branch ISR routers. For the interface connecting the ISR to the ISP's Router. For example, I have that interface configured with IP Address 10.19.3.2, and the ISP Router configured as 10.19.3.1.
So on the ISP's Router, I would configure Port Forwarding to 10.19.3.2? Is that correct? Would there be a specific port range that needs forwarding?
Thanks Again,
Matt
03-18-2020 01:23 PM
03-18-2020 12:28 PM
Hi,
If there is another layer 2 device in front of your ASR, no problem. If there is another layer 3 device in front of your ISR, regardless if it does NAT for you or not (it depends if you get a public or private IP), it needs to allow all IP traffic towards your ISR, no firewalls. See below guides to help you set it up, both via crypt-map (if you want to keep the current ASA version) and via VTI (if you want to upgrade):
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136
Regards,
Cristian Matei.
03-18-2020 01:06 PM
03-18-2020 01:29 PM
Hi,
Yes it would.
Regards,
Cristian Matei.
03-19-2020 08:18 AM
As far as ports to forward on the ISP device @Rob Ingram correctly identifies udp 500 and 4500 which takes care of ISAKMP. You would also need to forward ESP packets (note that ESP is an IP protocol and not a port number).
03-19-2020 10:27 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide