07-18-2015 02:43 AM - edited 03-11-2019 11:17 PM
Hello,
We have changed our edge device from old router to new ASA 5515. We had site-to-site VPN that had peer on router loopback interface(thats public IP address that we are getting as part of lan segment from our provider), and now I need to transfer that on ASA, and I'm failing big time :)
Can you give me advice how to do that? I have tried configuring router loopback address as subinterface on ASA, and use that as tunnel peer, but its not working...
in short, I need to configure this on ASA:
crypto map STSVPN local-address Loopback0
crypto map STSVPN 10 ipsec-isakmp
set peer x.x.x.x
set transform-set NISTS
match address VPN-STS
interface Loopback0
ip address y.y.y.y 255.255.255.248
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 86000
crypto ipsec transform-set NISTS esp-aes esp-sha-hmac
mode tunnel
crypto isakmp key ********** address x.x.x.x
ip access-list extended VPN-STS
permit ip host 192.168.X.X host 10.X.X.X
thanks!
07-18-2015 04:07 AM
Why cant you use physical interface of ASA which has the public ip address ?
Regards,
Puneesh
07-18-2015 04:47 AM
I will echo what Puneesh has said, Why can't you use a normal routed interface on the ASA which connects to an access port on the switch?
If you absolutely must have VLAN interfaces on the ASA then configure the interface as sub-interfaces and place them in the required VLANs.
int gig0/1.10
vlan 10
security-level 100
nameif inside
ip add 10.10.10.1 255.255.255.0
no shut
--
Please remember to select a correct answer and rate helpful posts
07-20-2015 12:20 AM
i did that.
on gigaether 0/1 interface i have 4 different subenterfaces(.100 for internet, .110 for L3VPN, .120 for backup internet and address over which LAN segment coming, .121 for tunnel)
it goes like this:
int gig0/1.100
vlan 100
security-level 0
nameif Internet_access
ip add 80.80.80.82 255.255.255.252 (not real ip, but it is link IP there)
no shut
int gig 0/1.110
vlan 110
security-level 50
nameif L3VPN
ip add 192.168.100.2 255.255.255.252 (private IP for L3VPN)
no shut
int gig 0/1.120
vlan 120
security-level 0
nameif Internet_VPN
ip add 90.90.90.82 255.255.255.252 (public IP address for link over which LAN segment(set of 8 public IP addresses) is coming in)
no shut
int gig0/1.121
vlan 121
security-level 0
nameif Tunnel_peer
ip add 88.88.88.1 255.255.255.248(peer address for tunnel... that's the address that was on router as loopback address)
no shut
lets just put also my LAN interface and some routes, so there are no confusion.
interface gig0/0
security-level 100
nameif LAN_network
ip address 10.10.10.1 255.255.255.0
no shut
route Internet_access 0.0.0.0 0.0.0.0 80.80.80.81
route L3VPN 192.168.0.0 255.255.0.0 192.168.100.1
route Internet_VPN 91.91.91.2 255.255.255.255 90.90.90.81
first route-default for internet
second route-for all the private networks i need to access over L3VPN
third route, 91.91.91.2 is second site peer address, and it needs to establish through Internet_VPN interface, using Tunnel_peer address as our site peer address...
in other words, i need traffic for establishing tunnel to go through 90.90.90.81 interface, and i need to establish tunnel with our site peer 88.88.88.1 and second site peer 91.91.91.2
and this is where i'm hitting the wall :)
lets say IP address on my site that needs tunnel is 10.10.10.10, and i need to hit 10.100.100.10 which is on the other site... how to make crypto maps so this works? should i change routes or something? i'm utterly confused :)
07-20-2015 11:29 AM
Your crypto configuration will be the same as for any other site to site VPN configuration for the ASA, but if you have the default route pointing out a different interface you will need to configure static routes for the private IPs of the remote VPN site to point out the VPN interface.
--
Please remember to select a correct answer and rate helpful posts
07-19-2015 11:56 PM
too many interfaces needed... i'm using all 6 physical interfaces, 3 of those have subintefaces. and even if i'm using that interface for tunnel, something just isn't clicking :)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: