Can dynamic VPN clients communicate with other dynamic clients
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
First question, is this even possible & if so, could someone direct me to an example or other resource? My testing shows packets just dying in the 5520.
Yes, that is possible, but with one exception being both dynamic end needs to establish the tunnel to the 5520 first, as they can't talk directly to each other, and it will be a hub and spoke scenario where all traffic passes through the HUB between the dynamic peers.
Here is the configuration which is required:
on ASA 5520:
same-security-traffic permit intra-interface
on ASA5510 - dynamic peer 1:
access-list permit ip
NAT exemption will need to be configured as well between peer1-lan-subnet to peer2-lan-subnet
on ASA5510 - dynamic peer 2:
NAT exemption will need to be configured as well between peer2-lan-subnet to peer1-lan-subnet
Then clear the tunnel on all ends so the new crypto ACL can be negotiated.
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Juniper EX 2300 switch to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnec...
At the core of the new Firewall Threat Defense (FTD) software version 7.x, Snort 3 provides faster and superior threat protection and performance, includes better SecureX integration so SecOPS teams can quickly pivot and correlate events from multiple pr...
This article describes the set of logs that can be verified related to SI feeds, starting from configuring to periodic updates.
The information in this document is based on Cisco FMC and FTD that runs software Version 6.6.5 or later.
pxGrid Integration with Cisco StealthWatch using Microsoft CAObjectiveThis blog will help the readers to configure their Cisco StealthWatch (7.X) and Cisco ISE appliance over pxGrid. What is pxGrid?Cisco pxGrid provides a unified framework that enabl...