ASA5508 L2 Tunneling type

AirSail · ‎04-07-2023

Hello Design Gurus,

Looking for guidance here,

I have the below-simplified architecture, I want remote devices behind the ASA5508 to be part of HQ network,

is there a way extend L2 from HQ to branch ? I know you will tell be do GRE over IPSEC, but sounds GRE isn't supporte by ASA, other alternative ?

MHM Cisco World · ‎04-07-2023

Why you want to extend l2 ?

AirSail · ‎04-08-2023

Great question @MHM Cisco World

on the left side of the topology, there is a BGP router from another 3rd party vendor that is allowing 172.16.15.0/24 ONLY to be routed to their internal network, and they don't really want to use something else,

that's why I'm thinking to extend the network and have 172.16.15.0/24 everywhere,

what do you think?

AirSail · ‎04-09-2023

@MHM Cisco World want to check if you had a chance to look at the above response

MHM Cisco World · ‎04-09-2023

I get your requirement but ASA not support GRE to run L2 over GRE (protect by IPSec)
so I check if ASA support L2VPN like Xconnect in router if not, can we use xconnect behind the ASA and config ASA to only protect the traffic via normal IPSec ? i.e. are there any router behind ASA can do l2vpn xconnect ?

AirSail · ‎04-10-2023

@MHM Cisco World - Nop we have no router behind ASA, it's a simple network with ASA+switch+ multiple laptops/phones connected to it,

MHM Cisco World · ‎04-10-2023

Hard task'

Without router and asa not support l2vpn

Can you try vti assing 172.16.15.0/24 to tunnel and NAT traffic to tunnel interface.

Here the HQ will see only VTI not any subnet behind it.

AirSail · ‎04-10-2023

@MHM Cisco World - That sounds genius, I have never set up VTI before, but I would try to find a simplified article or video in the internet that can help me setup that up,

for the VTI IP, must be part of the NAT example (source) and matching ACL (source) right?

MHM Cisco World · ‎04-10-2023

Need some test' vti interface can not config with nat command so we need to use any '

So let me check lab and see reuslt.

orochi_yagami · ‎04-09-2023

Do you mind the share what media do you have in the remote branch office? A single internet circuit? with static/dynamic IP? How many users/devices on the remote office? What is the MTIK router capabilities/feature?

AirSail · ‎04-10-2023

@orochi_yagami we have 1 single WAN edge modem with static IP, we have about 20 users @ that remote branch,

for MTIK (Mikrotik)router OS6.9 is capable to do GRE over IPSEC i beleive,

balaji.bandi · ‎04-09-2023

There are some limitations here. is the ASA running in Transparent mode ? or Route mode ?

what version of the ASA code running ? (any way ASA 5508 EOL ) - if you looking to deploy this solution, why not use the other side same Mikrotik (if Microtik offers the same service ?).

check ASA Limitations :

https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/general/asa-97-general-config/intro-fw.html#ID-2106-00000012

EOL :

https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/eos-eol-notice-c51-744798.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AirSail · ‎04-10-2023

@balaji.bandi - ASA in router mode, - running 9.12, - hardware ordered and are in place, I don't think we will be able to change the asa for now,

balaji.bandi · ‎04-10-2023

in that case, you need to look inter-operate with vendors with all the features supported on both sides.

Since you already place an order for ASA, you can use ASA on the Main Site, to it has more advantages with the same vendor, which you looking to deploy here.

the bad move is without testing order equipment (you need to test PoC before ordering mass ordering).

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Gustavo Medina · ‎04-10-2023

If you really need to extend L2 then VXLAN is an option but for the scenario you are describing that is not needed. A simple NAT will work. VTI is not a requirement for this NAT but also possible of course.