I have a very basic question about Cisco ASA 5505 IPsec Site to Site VPNs. I want to install a Cisco ASA 5505 at a Data Center, in a LAN subnet that utilizes publicly routable IP addresses. I would like to install a second Cisco ASA 5505 in a remote branch office as its peer.
Regardless of whether I use publicly routable IPs at the branch office in the "inside" network or non-routable IPs, how would the devices and servers at the Data Center know to route IP packets destined for the branch office back through the Cisco ASA instead of through the default gateway at the Data Center? I can see accomplishing this if every single device at the Data Center is configured with routing table entries, but that isn't feasible. It also isn't feasible to use the Cisco ASA 5505 as the default gateway for all of the devices as the Data Center, allowing it to decide where the traffic should go.
What am I missing? Is the solution to try to map branch office IPs to IP addresses within the Data Center's LAN subnet so that all of the traffic is on the same subnet?
One solution appeared in my head
Configure Data Center's router as VPN server instead install ASA.
Or configure route-map on that router for sending interesting traffic to ASA's inside interface.
Because ASA can not perform policy routing.
Assuming I don't want to change the edge router at the data center, could I theoretically get the ASA to proxy arp a set of local addresses, that would present themselves as being directly accessible via the ASA's inside address? If not, I am thinking I am going to have to add routing table entries to direct the IP traffic correctly.
You can use transparent mode. But instead use VPN (wich not supported in this mode) use ACL and AAA for control access.
You can do it in several different ways.
One way is to tell the server that if it has traffic to network x then it needs to go to the ASA all other traffic is to head for the default gateway.
In windows this is done via the route command
do not forget to make it "persistent" otherwise the route will disapear when your reboot the server.
It is also the route command
Or you can tell your "default gateway" to route that network to the ASA