Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1480
Views
0
Helpful
13
Replies

Connecting Cisco ASA 5505 to mutliple IPSec Vpn

kylebqmacs
Level 1
Level 1

‎09-14-2012 08:14 AM - edited ‎03-11-2019 04:54 PM

I need to know if this is possible.  We currently have 2 different ASA 5505 connect to our ASA5510.  We want to VPN connect the 2 5505's to each other while still mantaining connection to our 5520.  Any ideas?  I have attached pdf of what we have.  What we want is to connect traffic between the two 5505's so that devices in either location can talk to each other while still mantainig connection to the 5510.

Labels:
Preview file
87 KB
0 Helpful
13 Replies 13

Karsten Iwen
VIP
VIP

‎09-14-2012 08:22 AM

that can easily be achieved. On each 5505 add a second sequence in the crypto map and another tunnel-group for the other ASA. So on each 5505 you will have a config that is similar to that of the 5510 which has also two VPN-definitions.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

kylebqmacs
Level 1
Level 1
In response to Karsten Iwen

‎09-14-2012 08:26 AM

Will this work even if i have a nat behind each 5505. for example 172.16.5.0/24 = 192.168.2.0/24 and 172.16.6.0/24 = 192.168.3.0/24.  How will the 2 endpoint networks communicate with each other if the nat is in place?

0 Helpful

Karsten Iwen
VIP
VIP
In response to kylebqmacs

‎09-14-2012 08:33 AM

There won't be any challenge in that as long as your sites don't have overlapping IP-space. Just configure NAT-Excemption for the VPN-Traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎09-14-2012 08:26 AM

Hello Kyle,

So basically you want to communicate between both 5505 branches over an IPSec tunnel.

it can be done

You will need to create a VPN tunnel from both ASA's 5505 to the ASA5510.

Then permit the traffic from each of those branches to each other in the crypto ACL to the ASA 5510.

Any question..Sure.. Just remember to rate all of my answers.


Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kylebqmacs
Level 1
Level 1
In response to Julio Carvajal

‎09-14-2012 08:33 AM

Good news is i already have the ipsec tunnel created for the 2 5505's connecting to the 5510.  How would the rule look when i add it to the acl.  Do i add something on the inside or outside?  would it be 5505-2 any ip to 5505-1 and vice versa?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kylebqmacs

‎09-14-2012 09:04 AM

Hello Kyle,

It needs to be the crypto ACL.

Also remember to perform a nat (outside,outside) from the two remote offices.

If you want you can post the 5520 configuration and the subnets that need to talk to each other ( 5505 vs 5505)

Any question..Sure.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kylebqmacs
Level 1
Level 1
In response to Julio Carvajal

‎09-14-2012 09:40 AM

The only issue is that we dont want them to route back through our network just for them to talk to each other.  Can i not just setup another ipsec vpn on the each 5505 with one as host and the other as client?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to kylebqmacs

‎09-14-2012 10:08 AM

Hello Kyle,

if the 3 of them are reachable over the internet then yes, you can have a l2l between both ASA's without not going to the ASA 5520,

Any other question..Sure.. Just remember to rate all of my answers.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

kylebqmacs
Level 1
Level 1
In response to Julio Carvajal

‎09-14-2012 10:19 AM

I know how to create the connection from a client to host.  How do i setup the 5505 as a host using asdm.

0 Helpful

Karsten Iwen
VIP
VIP
In response to kylebqmacs

‎09-14-2012 10:23 AM

you can control that with the crypto definition. Perhaps it's best to post the output of the following commands of both 5505s:

sh run crypto map

sh run tunnel-group

Then we can tell you what you need to add.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

kylebqmacs
Level 1
Level 1
In response to Karsten Iwen

‎09-17-2012 05:58 AM

I am unable to post config for security reasons.  Can you guys post an example and show me what to add.

0 Helpful

kylebqmacs
Level 1
Level 1
In response to Karsten Iwen

‎09-17-2012 09:17 AM

ok.  I have it working.  However i have ping each of the devices from each other.  Is there a way to auto establish the route?

Another similar issue i have is getting 2 asas that are both connected to same ipsec tunnel communicate with each other without having to ping each other to establish a route.

Any ideas?

0 Helpful

kylebqmacs
Level 1
Level 1

‎09-18-2012 09:09 AM

Havent heard anything from you guys in a while.  Any ideas??

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card