Yes, it is possible. However,

jlhainy · ‎02-18-2015

I am trying to connect a remote site to our main site using 2 ASA 5505s. The 5505 at the main site is mainly used for any connect clients. But I would like to use it as a termination point for the second ASA that will be going at the remote site.

The remote site is currently connected to the Internet via DSL. What I would like to do is setup either a site to site vpn or have the asa act as a hardware vpn client and just use easy vpn.

The topology looks something like this. Clients---> switch---> asa---> DSL modem ---> Internet

What I am thinking is using the asa at the remote site as a dhcp server to lease IPs to the clients at the remote site. The Remote ASA will establish a VPN connection to the Main ASA. I would like to extend the network so that the IP space at the remote sites routes over the tunnel. No NAT should happen. The remote site will Tunnel everything to the main site, including Internet Access. At the main site, I would want to have a route for the remote site subnet that points to the asa so it knows to route that subnet across the tunnel. Is this a possibility without breaking my current remote access VPN setup at the main site?

rizwanr74 · ‎02-19-2015

Yes, it is possible.

However, if I were you I will leverage remote internet-circuit for its local subnet users' internet traffic, instead tunneling back to main site, unless you have a valid reason to tunnel everything back to main office.

Thanks

Rizwan Rafeek

jlhainy · ‎02-19-2015

I have the client ASA pretty much figured out. It's the client server I am struggling with. When I am configuring the server side for this tunnel-group, I am not quite sure what to do for IP info. I just want to route the remote network across the tunnel so I am thinking I shouldn't need dhcp or an ip pool or anything, because the IP information will be given to the clients from the dhcp pool that is on the remote ASA.

Peter Koltl · ‎02-22-2015

That's right. An IP pool is for remote access clients.

If you want an Easy VPN client then you will use tunnel-group type ipsec-ra. If you want a L2L VPN, you will use tunnel-group type ipsec-l2l. However, if you choose Easy VPN in client mode, your remote ASA will show up as a client so it will request an IP address from a pool.

jlhainy · ‎02-22-2015

L2L meaning lan to lan or site to site?

It sounds like easy von client is not the way to go then. I definately want to do lan to lan. The difficulty is that the remote side has a DSL connection with a dynamic IP, so I can't configure the other side with its peer ip address because it's dynamic. Is a site to site vpn supported when one side as a static ip and the other side has a dynamic ip. The asa is actually inside the NAT DSL device.

Peter Koltl · ‎03-07-2015

I thought lan-to-lan and site-to-site mean the same. Actually, I still think so. (-:

What you need is Easy VPN in network extension mode. Check it out in the docs.

rizwanr74 · ‎03-07-2015

Do you aware, when you setup server/client site-to-site vpn setup, only client can initiate traffic?

When tunnel is not established or not up, you cannot initiate the tunnel or establish the tunnel from server-side but it is always from client side alone.

Let me know if this what you want to achieve?

Thanks

Easy VPN vs. Site to site VPN