Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
2
Replies

Can I terminate, then rebuild, an IPsec Tunnel inside an ASA

Go to solution
jimmyc_2
Level 1
Level 1

‎03-29-2013 08:18 AM - edited ‎02-21-2020 06:47 PM

My user in Reno wants to send data to Vermont, but has to go through the Kansas ASA.

The Reno to Kansas hop must be AES-128.

The Kansas to Vermont hop must be AES-256.

Can the firewall in Kansas terminate one tunnel, then build a second tunnel, without having to leave the ASA?

In other words, I do not bent-pipe it to a server via the Inside address.

Thanks

jc

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2013 09:43 AM

Hi,

So if I understood you correctly, you would want to build 2 L2L VPN connections from Kansas. One to Reno and one to Vermont? And you want users from Reno to be able to connect to Vermont through these connections?

There should be no problem doing this. There is no need for the traffic from Reno to go through the local network of Kansas. It will simply take a turn at the "outside" interface of Kansas and head out towards Vermont through the other L2L VPN connection.

Some things you have to take into considerations when configuring are

  • Reno will need to define that the traffic destined to Kansas and Vermont LANs is defined on the L2L VPN connection towards Kansas
  • Reno will need to define NAT0 configurations for the above mentioned traffic from Reno to Kansas and Reno to Vermont
  • Kansas will need to have 2 L2L VPN configurations.
  • Kansas will need to define that traffic between the Reno and Vermont networks is defined on both of the above mentioned L2L VPN configurations
  • Kansas will need to have NAT0 configurations on its "outside" interface for the Reno and Vermont networks so that traffic between them will flow
  • Kansas will also need the "same-security-traffic permit intra-interface" configuration. This will permit the traffic from Reno to head to Vermont through the same interface it entered from. This is because the traffic will enter from "outside" and will also leave from "outside"
  • Vermont will naturally have the same kind of needs as Reno as its a spoke in the topology also.

Also I guess you always have the option to configure a L2L VPN directly between Reno and Vermont without Kansas having anything to do with that setup.

Hopefully the information was helpfull I am not sure if this is just at planning stages or if you had already tried to configure it and had some problems?

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2013 09:43 AM

Hi,

So if I understood you correctly, you would want to build 2 L2L VPN connections from Kansas. One to Reno and one to Vermont? And you want users from Reno to be able to connect to Vermont through these connections?

There should be no problem doing this. There is no need for the traffic from Reno to go through the local network of Kansas. It will simply take a turn at the "outside" interface of Kansas and head out towards Vermont through the other L2L VPN connection.

Some things you have to take into considerations when configuring are

  • Reno will need to define that the traffic destined to Kansas and Vermont LANs is defined on the L2L VPN connection towards Kansas
  • Reno will need to define NAT0 configurations for the above mentioned traffic from Reno to Kansas and Reno to Vermont
  • Kansas will need to have 2 L2L VPN configurations.
  • Kansas will need to define that traffic between the Reno and Vermont networks is defined on both of the above mentioned L2L VPN configurations
  • Kansas will need to have NAT0 configurations on its "outside" interface for the Reno and Vermont networks so that traffic between them will flow
  • Kansas will also need the "same-security-traffic permit intra-interface" configuration. This will permit the traffic from Reno to head to Vermont through the same interface it entered from. This is because the traffic will enter from "outside" and will also leave from "outside"
  • Vermont will naturally have the same kind of needs as Reno as its a spoke in the topology also.

Also I guess you always have the option to configure a L2L VPN directly between Reno and Vermont without Kansas having anything to do with that setup.

Hopefully the information was helpfull I am not sure if this is just at planning stages or if you had already tried to configure it and had some problems?

- Jouni

0 Helpful

Go to solution
jimmyc_2
Level 1
Level 1
In response to Jouni Forss

‎03-30-2013 07:01 AM

Jouni,

Many thanks for the quick response, and extremly helpful tips.   I wish all replies were as complete as yours.   I'll give it a shot on Monday and let you know.

jc

0 Helpful
Customers Also Viewed These Support Documents