Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1107
Views
5
Helpful
4
Replies

Extend production VLAN behind ASA5510 to remote site and 2821

Go to solution
johartman
Level 1
Level 1

‎02-24-2011 05:14 AM

I have an ASA 5510 and would like to extend one of the subnets behind this ASA out to my house that has a cable modem, a wireless router/switch and then behind that I have a 2821 router.  I've been reading and it looks like L2TP may be the way to go but can't find and config examples.  Again, I would like to securely extend one and nail up a permanent connection of one of the VLANs in the production network all the way into my house using my cable modem and the 2821.  Any config examples would be much appreciated!  Also, any IOS recommendations for the 2821 would be much appreciated.  Lastly, does L2TP look like the way I need to go?  I'm attaching a very basic Visio diagram of what I'm trying to do.  Thanks, john

Labels:
82148-HomeVPN.vsd.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Roman Rodichev
Level 7
Level 7

‎02-24-2011 06:44 AM

You need L2TPv3.

ASA doesn't support it but will pass L2TPv3 traffic through.

At work you'll need to add another router. L3 switches don't support it.

The configuration for a router would be:

pseudowire-class test

encapsulation l2tpv3

ip local interface loopback0 (this will be the source of the tunnel, can use any interface that has reachability to the remote xconnect IP)

!

int fas0/0.30

(don't put an ip address here)

encapsulation dot1q 30

xconnect X.X.X.X 1000 pw-class test

X.X.X.X is the remote router interface IP that's used as "ip local interface" in the remote configuration

make sure 1000 (VC ID) matches on both sides

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Roman Rodichev
Level 7
Level 7

‎02-24-2011 06:44 AM

You need L2TPv3.

ASA doesn't support it but will pass L2TPv3 traffic through.

At work you'll need to add another router. L3 switches don't support it.

The configuration for a router would be:

pseudowire-class test

encapsulation l2tpv3

ip local interface loopback0 (this will be the source of the tunnel, can use any interface that has reachability to the remote xconnect IP)

!

int fas0/0.30

(don't put an ip address here)

encapsulation dot1q 30

xconnect X.X.X.X 1000 pw-class test

X.X.X.X is the remote router interface IP that's used as "ip local interface" in the remote configuration

make sure 1000 (VC ID) matches on both sides

0 Helpful

Go to solution
johartman
Level 1
Level 1
In response to Roman Rodichev

‎02-24-2011 08:44 AM

So if we don't have the funds to purchase another router to sit behind the ASA they may not be a way to allow that subnet to be tunneled across?  If that's the case, should I just nail up an IPSec tunnel betwen the remote 2821 which tarverses another low end router and cable modem back to the ASA?

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7
In response to johartman

‎02-24-2011 02:41 PM

without L2TPv3 you can't extend a subnet like that

correct, you might as well just do a VPN tunnel and route to a different subnet. Was there a need to have L2 connectivity?

Go to solution
johartman
Level 1
Level 1
In response to Roman Rodichev

‎02-25-2011 05:08 AM

I just wanted to be in the same domain and on the same subnet as other servers to configure them from that site.

Thanks for your input.

I guess I'll search for a config guide to lock up a permanent VPN tunnel and have permanent access to that subnet from that site.

0 Helpful
Customers Also Viewed These Support Documents