cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
5
Helpful
5
Replies

VPN ASA Headend to ASA5505 remote End on Customer LAN

ben.reynolds
Level 1
Level 1

Hi Guys,

I'm wondering if you you can point me in the right direction. We have a requirement from the business to print labels from our as400 main frame via some of our partners sites. These are fairly small partners that tend to generally have a standard broadband connection with router connected. Their IT knowledge is limited and we are looking to implement a sort of plug play solution into the current infrastructure. So what we would like to is install ASA directly onto their LAN that has internet access but no public IP assigned and create effectively a VPN tunnel back to our ASA at HQ. I have a attached a quick drawing can you confirm if this is possible and the best way to achieve?

2 Accepted Solutions

Accepted Solutions

LA-Engineer
Level 1
Level 1

Yep this is possible.  You can configure the 5505 to use ezvpn (vpnclient).  Configure the group-policy to tunnel all traffic.  

 

http://www.jump.net.uk/blog-cisco-easy-vpn-on-asa

View solution in original post

That's great.  Is the problem that you cannot ping just the LAN interface or can you not ping any host on the remote end at all?

 

You'll at least need to set the mode to "network-extension-mode".  You might need firewall rules to allow the traffic.  You also might need to set "management-access" to your inside interface.

View solution in original post

5 Replies 5

LA-Engineer
Level 1
Level 1

Yep this is possible.  You can configure the 5505 to use ezvpn (vpnclient).  Configure the group-policy to tunnel all traffic.  

 

http://www.jump.net.uk/blog-cisco-easy-vpn-on-asa

Thanks for your assistance I've got it all up and running now. Just one final question now it's up and running the only thing I do not seem to be able to do is ping the LAN interface of the ASA on the remote end. I can see the firewall HQ sending packets but see anything in return and on the remote side I see nothing in the logs.

That's great.  Is the problem that you cannot ping just the LAN interface or can you not ping any host on the remote end at all?

 

You'll at least need to set the mode to "network-extension-mode".  You might need firewall rules to allow the traffic.  You also might need to set "management-access" to your inside interface.

It was me, forgot to assign the management-access. Everything is working great. Thanks for your help.

Awesome

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: