Cisco Community
English
Register
We're here for you! LEARN about free offerings and business continuity best practices during the COVID-19 pandemic
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
259
Views
25
Helpful
12
Replies
Highlighted
Matthew Martin
Contributor
Contributor
‎03-18-2020 11:43 AM
‎03-18-2020 11:43 AM

Setup a Temporary Location to Location Setup

Hello All,

*Let me know if I should post this under a different category...

I'm wondering if it would be possible to setup some type of temporary VPN'like connection between 2 locations. One of our branches is moving to a new location. The private MPLS circuit won't be getting installed for quite some time, however we'll be having some local broadband installed prior to them moving to this new location.

So I'm wondering if there is anything we could do temporarily to setup a connection between the remote location and our HQ.

Remote Location has:

- 1 x ISR4321

- 1 x WS-C3650-48FD-S

HQ Location has:

- Lots of Cisco Gear. But most importantly, 2 x ASA5525

 

Is there anything we can do with the ASA and the ISR in the remote location to setup sometype of direct VPN-like connection so we can get their IP Phones up and running while we wait for the MPLS circuit to be installed?

Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt

0 Helpful
Reply
12 REPLIES 12
Highlighted
RJI
VIP Advisor VIP Advisor
VIP Advisor
‎03-18-2020 11:52 AM
‎03-18-2020 11:52 AM

Re: Setup a Temporary Location to Location Setup

Hi,

You could setup a VPN between the ISR and the ASA, either a VTI or traditional crypto map. You do need to be running ASA v9.7 or newer to configure a VTI.

 

Here are some examples VTI and Crypto Map.

 

HTH

Reply
Highlighted
Matthew Martin
Contributor
Contributor
‎03-18-2020 12:15 PM
‎03-18-2020 12:15 PM

Re: Setup a Temporary Location to Location Setup

It looks like our ASA is currently running v9.4(4)20.

I see in the ASDM there's an option to configure a Site-to-Site VPN...?

Also, the remote office will have the local broadband's Router in between our ISR and the Internet. Would this cause any issues in setting up one of these options?

-Matt
0 Helpful
Reply
Highlighted
RJI
VIP Advisor VIP Advisor
VIP Advisor
‎03-18-2020 12:20 PM
‎03-18-2020 12:20 PM

Re: Setup a Temporary Location to Location Setup

In that case you can only setup a crypto map site to site VPN, you can use Asda wizard to set this up.

 

Does your ISR router have a public IP address or will it be natted behind the isp router? If natted behind the isp router you will need to setup port forwarding to your ISR routers IP address.

 

0 Helpful
Reply
Highlighted
Matthew Martin
Contributor
Contributor
‎03-18-2020 12:34 PM
‎03-18-2020 12:34 PM

Re: Setup a Temporary Location to Location Setup

Thanks again for the reply!

Ok, thanks. The ISR does not have its own public IP. It'll be natted behind the ISP router. Is the port forwarding done via the ISR or the ISP Router? I know those ISP Routers usually have port forwarding settings in the admin GUI...

Thanks Again,
Matt
0 Helpful
Reply
Highlighted
RJI
VIP Advisor VIP Advisor
VIP Advisor
‎03-18-2020 12:40 PM
‎03-18-2020 12:40 PM

Re: Setup a Temporary Location to Location Setup

The ISR’s outside interface will have a private IP address, the isp router will port forward to this IP address.

0 Helpful
Reply
Highlighted
Matthew Martin
Contributor
Contributor
‎03-18-2020 01:02 PM
‎03-18-2020 01:02 PM

Re: Setup a Temporary Location to Location Setup

Ok thank you.

In all of our Branch locations, I setup the ISP Router's LAN addressing to use 10.x.3.0 (*where x is the subnet for that particular branch).

On our branch ISR routers. For the interface connecting the ISR to the ISP's Router. For example, I have that interface configured with IP Address 10.19.3.2, and the ISP Router configured as 10.19.3.1.

So on the ISP's Router, I would configure Port Forwarding to 10.19.3.2? Is that correct? Would there be a specific port range that needs forwarding?

 

Thanks Again,

Matt

0 Helpful
Reply
Highlighted
RJI
VIP Advisor VIP Advisor
VIP Advisor
‎03-18-2020 01:23 PM
‎03-18-2020 01:23 PM

Re: Setup a Temporary Location to Location Setup

Yes 10.19.3.2, ports udp/500 and udp/4500
Reply
Highlighted
Cristian Matei
Collaborator
Collaborator
‎03-18-2020 12:28 PM
‎03-18-2020 12:28 PM

Re: Setup a Temporary Location to Location Setup

Hi,

 

    If there is another layer 2 device in front of your ASR, no problem. If there is another layer 3 device in front of your ISR, regardless if it does NAT for you or not (it depends if you get a public or private IP), it needs to allow all IP traffic towards your ISR, no firewalls. See below guides to help you set it up, both via crypt-map (if you want to keep the current ASA version) and via VTI (if you want to upgrade):

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/119141-configure-asa-00.html

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1063136

 

Regards,

Cristian Matei.

Reply
Highlighted
Matthew Martin
Contributor
Contributor
‎03-18-2020 01:06 PM
‎03-18-2020 01:06 PM

Re: Setup a Temporary Location to Location Setup

Thanks Cristian.

Would using the ASDM's "Site-to-Site VPN Connection Wizard" work for what you're describing doing it via a crypto-map?

Thanks,
Matt
0 Helpful
Reply
Highlighted
Cristian Matei
Collaborator
Collaborator
‎03-18-2020 01:29 PM
‎03-18-2020 01:29 PM

Re: Setup a Temporary Location to Location Setup

Hi,

 

  Yes it would.

 

Regards,

Cristian Matei.

Reply
Highlighted
Richard Burts
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
‎03-19-2020 08:18 AM
‎03-19-2020 08:18 AM

Re: Setup a Temporary Location to Location Setup

As far as ports to forward on the ISP device @RJI correctly identifies udp 500 and 4500 which takes care of ISAKMP. You would also need to forward ESP packets (note that ESP is an IP protocol and not a port number).

HTH

Rick
Reply
Highlighted
Matthew Martin
Contributor
Contributor
‎03-19-2020 10:27 AM
‎03-19-2020 10:27 AM

Re: Setup a Temporary Location to Location Setup

Thanks Richard, much appreciated!

-Matt
0 Helpful
Reply
Latest Contents
Error SSH enabling batch
Created by Brand4480 on 05-24-2020 06:52 PM
0
0
0
0
Re: Unable to SSHDiane,     The difference you are seeing is that an ASA is a firewall first and a VPN product second.  The VPN Concentrators just did VPN and didn't concern themselves with routing, switching, or firewalls.  ... view more
Auto summarization - in simple word
Created by Deepak kumar on 05-24-2020 01:04 PM
1
5
1
5
Level: Beginner Topic: Auto-Summarization in IGP (EIGRP and RIP)   I know you may know about Auto Summary, but there are very few documents about Auto Summary. I decided to describe it in simple words. I saw that many CCNA and CCNP students face diff... view more
DNAC Template - CLI + Velocity
Created by abdeabdu@cisco.com on 05-21-2020 02:19 PM
0
0
0
0
Template Introduction The template editor is a standalone application that can be used to Build your Day-0 (PnP) or Day-N configurations. •Day-0 (PnP)  : Is your PnP/Onboarding Template . This is a one-time Template that used while you onboard your ... view more
Cisco 3750g facng issue RPS light Orange
Created by awaiswaheed810590513 on 05-19-2020 01:54 AM
0
0
0
0
*Mar 1 00:01:28.592: %PLATFORM_IPC-3-COMMON: Init failed before IPC init-Traceback= 16F4B68 15EA4D0 2926648 29266E0 1FE2584 1FE27F0 1BD366C 1BC9E40*Mar 1 00:01:28.726: %SMI-5-CLIENT: Smart Install Client feature is enabled. It is recommended to disable th... view more
#CiscoChat Live-Get Ready for Multicloud: What it is, What i...
Created by Kelli Glass on 05-18-2020 05:03 PM
0
0
0
0
Join us on Thursday, May 21 at 10 am PT (and on demand after) as we discuss what multicloud is and how organizations can use it to optimize the user experience around SaaS and IaaS.
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad