04-12-2013 02:01 PM - edited 03-11-2019 06:27 PM
I'm trying to achieve a site-to-site ipsec tunnel to a Cisco ASA 5520. Most examples feature the ASA with a public interface that terminates the tuennel and a private network on another interface that the tunnel interacts with. Where my scenario differs is that the interface that accepts the tunnel is part of a public /29 network where I want the remaining hosts on that subnet to be able to route thrugh to the other end of the tunnel. My tunnel gets established, but any attempts to route via the IP assigned to that one interface result in the ASA rejecting traffic. Is this scenario even possible? If so, what configuration options should I consider?
Thanks!
04-12-2013 02:05 PM
Hi,
It would be good to see the configurations you have inserted for this.
It shouldnt really matter what IP addresses you use for the NAT. The main thing is that the NAT is configured correctly and the ACL defining the tunneled traffic match.
For example I manage a customer firewall where the customer wanted to use the whole connected /24 network as source address for a L2L VPN connection.
- Jouni
04-12-2013 02:11 PM
Now that I read your question again it seems to me that I might have missunderstood you.
Are you saying that you only have an "outside" interface and all hosts are connected on that network? If so it sound quite strange.
- Jouni
04-12-2013 02:37 PM
Indeed, I've only attached the 'outside' interface as all of my hosts are on that /29. A main router/firewall on that same network controlls access to that vlan and the rule I have in place on it allows the ipsec connection to the ASA from another location on the internet.
04-12-2013 04:05 PM
I got to say I have never tried this or had any situation where I would want to use the ASA like this.
This would be something I would have to test as I can't say for sure if its possible or not.
For one I would atleast make sure the following things
How do you confirm the ASA is rejecting the traffic? Do you see some log message?
Have you seen any traffic get encapsulated/encrypted at this site OR is there only traffic incoming from the remote site?
- Jouni
04-12-2013 04:08 PM
I guess one might also ask why the main firewall isnt performing the VPN connection?
Or perhaps moving the public network segment behind the ASA and using some other network/link network between the 2 firewalls. Though I am not sure what the current network setup is.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide