cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1736
Views
0
Helpful
9
Replies

IPsec (ASA) on a stick

John Kim
Level 1
Level 1

Hi,

 

I have a requirement that I need to terminate site-to-site VPN on ASA5545 unit as IPsec on a stick and route back through Internet Router (2911) to inside network and vice versa. At the moment, Internet Router is with all acls and nat for the corporate. Sooner or later, all acls and nat will have to be migrated to new ASA unit.

 

Can anyone share ideas on this?

 

Thanks

 

.

1 Accepted Solution

Accepted Solutions

Hi,

 

Yes... I agree with your proposed design..... rather doing hairpinning and do all workaround, this would be the straight method which will make the things much simpler....

 

Even it would be better if you bring ASA in between router and core switch.... i mean internet facing side (outside) interface of ASA will face towards router and LAN facing (inside) interface will get connected to core router..... then you can make site to site and anyconnect configured on the ASA itself and you can make the router to just do routing towards internet..... But based on your present production and impact you can decide how you want to migrate....

 

Regards

Karthik

 

 

View solution in original post

9 Replies 9

nkarthikeyan
Level 7
Level 7

Hi,

 

Yes....

 

You need have same-security traffic permit command....

 same-security-traffic permit inter-interface


No-NAT for (ouside, outside) <L2L><L2L>

Required rules needs to be permitted in L2L ACL's....

 

Hope as you said your router will take care of the NAT / ACL to get in to the LAN network....

 

Regards

Karthik

Hi Karthik,

 

Thanks very much for the reply.

I'm going to assign public ip address on asa's outside interface and another public ip address on the router.

When I set up a site-to-site vpn on remote site, can I just go with the same destination on my end?

For example, if remote site requires 10.1.1.0/24 as destination from my end, is it okay to configure as we normally configure a site-to-site VPN?

 

I have configured a default route pointing to the router's interface on ASA5545. Is this sufficient for all traffic heading inside?

 

Cheers

 

 

Thanks,

John

Hi,

Please confirm your design if my understanding is correct or not

Over All Design:

Remote Site <-->Internet<--->Your Site ASA<--->Router<--->LAN Core<--->LAN

Concept Design:

Your Site ASA(outside)----(outside)Internet Router(Inside) Core LAN

 

If so on your ASA... you need to have the default route pointed to public interface of the router....

in this case you need to NAT (ouside,outside) with public ip for your L2L source......

So the NATed public IP will hit the router and in router you need to do a NAT once again to reach your internal LAN.....

 

Make sure that your crypto ACL's is updated accordingly.....

 

Regards

Karthik

Thanks again.

 

Physical design is as below.

Internet router is the internet-facing device and asa is hanging on the internet router.

And I'll be terminating VPN on 201.2.1.200.

Remote site

II

II

Internet Router ====== ASA

II

II

Core LAN

 

 

Hi,

Why can't you have a design like this....

 

Your Internet Router <-->ASA<-->Core.... in this case you can achieve it much easier...

 

Regards

Karthik

Hi,

 

Thanks for your reply.

I totally agree. I have expressed my concern over this and complexity going forward when it needs to be fully migrated to asa.

Now we have decided to run a connection between ASA and core switch and have a static route configured on core switch destined to tunneled remote network via ASA and out to router. This way we can slowly migrate Anyconnect users to ASA and other current site-to-site VPNs configured on the internet router.

 

Do you see any potential issues with this?

 

Hi,

 

Yes... I agree with your proposed design..... rather doing hairpinning and do all workaround, this would be the straight method which will make the things much simpler....

 

Even it would be better if you bring ASA in between router and core switch.... i mean internet facing side (outside) interface of ASA will face towards router and LAN facing (inside) interface will get connected to core router..... then you can make site to site and anyconnect configured on the ASA itself and you can make the router to just do routing towards internet..... But based on your present production and impact you can decide how you want to migrate....

 

Regards

Karthik

 

 

Thanks Karthik,

Hi,

Can you please share your L2L configs of both the sides?

 

Also you can check by enabling debug crypto isakmp 128?

 

Because when you initiate from asa 8.2 traffic is not getting initiated or tunnel phase 1/2 not getting through..... do you have the proper routing enabled from the local LAN to FW....

 

Regards

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: