cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1168
Views
0
Helpful
4
Replies

No IP-in-IP on ASA

mareks-vader
Level 1
Level 1

Hi all,

I have to replace software firewall to hw ASA firewall but it seem that original IP-in-IP tunnels can´t be replaced by ASA.

I have similar configuration as in:

http://etutorials.org/Networking/Integrated+cisco+and+unix+network+architectures/Chapter+11.+VPN+Technologies+Tunnel+Interfaces+and+Architectures/IP-IP+Tunnel/

But that las configuration seems is in IOS only no ASA. What can I do?

Thank you,

Marek

4 Replies 4

You are right. This is nothing the ASA supports. There are two option that you have:

1) replace the IP-in-IP tunnel with a pure IPSec-config. But the ASA will still behave different as there is no tunnel-interface as in IOS.

2) Terminate the IP-in-IP tunnel on an IOS-router or a software-firewall in a DMZ or the internal network (which fits better to your security-policy). The ASA can be configured to pass this traffic through.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

So that means, that:

ad 1) I would have to reconfigure entire network to behave under IPSec?

ad 2) I would have to have one more device than I want to have, just to terminate tunnel just before traffic enters ASA?

Thanks

yes, thats what it means. Or the other way round: The ASA is not the right device for this job. An IOS-router with Firewall-Feature would perhaps fit better for your needs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Cisco ASA doesnt really support any other kind of tunneling except IPsec L2L VPN. It can naturally also do for example IPsec Client VPN and SSL Client VPN and Clientless SSL VPN.

If your aim is to connect 2 remote network then you should use L2L VPN on the ASA.

I guess if you require some other type of tunneling you will need another device than a Cisco ASA firewall.

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: