Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
5
Replies

IPsec tunnel without a private network

stmsystems
Level 1
Level 1

‎04-12-2013 02:01 PM - edited ‎03-11-2019 06:27 PM

I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520.  Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with.  Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel.  My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic.  Is this scenario even possible?  If so, what configuration options should I consider?

Thanks!

Labels:
0 Helpful
5 Replies 5

Jouni Forss
VIP Alumni
VIP Alumni

‎04-12-2013 02:05 PM

Hi,

It would be good to see the configurations you have inserted for this.

It shouldnt really matter what IP addresses you use for the NAT. The main thing is that the NAT is configured correctly and the ACL defining the tunneled traffic match.

For example I manage a customer firewall where the customer wanted to use the whole connected /24 network as source address for a L2L VPN connection.

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-12-2013 02:11 PM

Now that I read your question again it seems to me that I might have missunderstood you.

Are you saying that you only have an "outside" interface and all hosts are connected on that network? If so it sound quite strange.

- Jouni

0 Helpful

stmsystems
Level 1
Level 1
In response to Jouni Forss

‎04-12-2013 02:37 PM

Indeed, I've only attached the 'outside' interface as all of my hosts are on that /29.  A main router/firewall on that same network controlls access to that vlan and the rule I have in place on it allows the ipsec connection to the ASA from another location on the internet.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to stmsystems

‎04-12-2013 04:05 PM

I got to say I have never tried this or had any situation where I would want to use the ASA like this.

This would be something I would have to test as I can't say for sure if its possible or not.

For one I would atleast make sure the following things

  • Make sure you have the configuration "same-security-traffic permit intra-interface
    • This will permit the traffic to enter and leave the same interface which in this case is "outside"
  • That the host default route points to the ASA
  • Consider configuring NAT0 for the "outside" /29 network on the "outside" interface when the destination network is the remote site network
  • Use the command "packet-tracer" command to simulate a packet coming from the "outside" host towards the remote site and see what the output is
    • packet-tracer input outside tcp

How do you confirm the ASA is rejecting the traffic? Do you see some log message?

Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?

- Jouni

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎04-12-2013 04:08 PM

I guess one might also ask why the main firewall isnt performing the VPN connection?

Or perhaps moving the public network segment behind the ASA and using some other network/link network between the 2 firewalls. Though I am not sure what the current network setup is.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card