Solved: There are several things that

howithink · ‎02-03-2015

Hello,

Current:

I have an ASA 5505 (8.2.x) deployed at a customer's site with a public ip provided by customer.

I have a site-to-site tunnel between us (site A) and customer (site B).

ASA (at customer site) was setup with 2 default vlans (one for outside, one for inside using ports 2-7).

Future:

Customer wants another site-to-site tunnel for a separate project, but they want to use the same ASA but use a different port configured for a different ip scheme for this new project. (which means same public ip, but different vlan for ip).

My Actions:

A) My first reaction was that i could not do this, but since this is the customer and i have to figure out a way, Can i reconfigure customer (site B) ASA to take one port and configure it for a different vlan (using the ip scheme for this project) and setup a second site-to-site tunnel using that vlan?

B) Can i even reconfigure a port for a third vlan on that ASA? (customer ASA 5505, 8.2.x, generic 10 seat license).

Whats the best approach to accomplish this task?

thanks..

David paull · ‎02-04-2015

That's an odd question -- technically you could -- I think where you're going to fall short is that he is using the same peer address on his end. I don't think it's going to end up working favorably...never tried this.

I don't really understand the need for 'another site-to-site tunnel' though. Theoretically, I could be wrong here, there is only need for one IKE phase 1 tunnel. There can be multiple IKE phase 2 tunnels communicating through that tunnel at the same time though.

Why not leave the peer relationship as it is, expand your (and his) internal/external cryptos, and go from there. ASA 8.4 supports twice nat -- which could be a solution if he's having issues on his end.

And to be honest, even the ASA 5505's that I've helped configure have all been on the remote side, and I'm pretty sure that every single one of them existed solely for the purposes of a single site to site to my organization.

Maybe explain WHY he wants to do what he wants to do also?

View solution in original post

Richard Burts · ‎02-05-2015

There are several things that we do not know which could impact the answer to the question.

The ASA5505 should certainly support two site to site tunnels, as long as the tunnels go to different destinations. Two tunnels from the same 5505 to the same destination peer would not work. So does the customer intend the second tunnel to terminate on a different device?

Where you may have more problem is in the extra vlan on the 5505. The 5505 restricts vlans on the 5505. It supports full functionality on two vlans and allows a third vlan as DMZ but imposes some restrictions on it. So depending on what the customer wants to do with the third vlan it might work or it might not work.

HTH

Rick

HTH

Rick

View solution in original post

David paull · ‎02-04-2015

That's an odd question -- technically you could -- I think where you're going to fall short is that he is using the same peer address on his end. I don't think it's going to end up working favorably...never tried this.

I don't really understand the need for 'another site-to-site tunnel' though. Theoretically, I could be wrong here, there is only need for one IKE phase 1 tunnel. There can be multiple IKE phase 2 tunnels communicating through that tunnel at the same time though.

Why not leave the peer relationship as it is, expand your (and his) internal/external cryptos, and go from there. ASA 8.4 supports twice nat -- which could be a solution if he's having issues on his end.

And to be honest, even the ASA 5505's that I've helped configure have all been on the remote side, and I'm pretty sure that every single one of them existed solely for the purposes of a single site to site to my organization.

Maybe explain WHY he wants to do what he wants to do also?

Richard Burts · ‎02-05-2015

There are several things that we do not know which could impact the answer to the question.

The ASA5505 should certainly support two site to site tunnels, as long as the tunnels go to different destinations. Two tunnels from the same 5505 to the same destination peer would not work. So does the customer intend the second tunnel to terminate on a different device?

Where you may have more problem is in the extra vlan on the 5505. The 5505 restricts vlans on the 5505. It supports full functionality on two vlans and allows a third vlan as DMZ but imposes some restrictions on it. So depending on what the customer wants to do with the third vlan it might work or it might not work.

HTH

Rick

HTH

Rick

howithink · ‎02-05-2015

I resolved this issue by taking one of the ports on ASA and placing it into a separate vlan. Assigned it an ip range that customer wanted and updated my tunnel phase 2 crypto to reflect the new subnet on both ends.

Thank you both for your insight and assistance.

Richard Burts · ‎02-05-2015

I am glad that you have resolved your issue and that our responses were helpful in that. Thank you for using the rating system to mark this question as answered. This helps other readers in the forum to identify threads that have helpful information.

HTH

Rick

HTH

Rick

2 site-to-site vpn tunnels from location A to B