07-31-2014 05:26 AM - edited 02-21-2020 07:45 PM
Hi,
I have a requirement that I need to terminate site-to-site VPN on ASA5545 unit as IPsec on a stick and route back through Internet Router (2911) to inside network and vice versa. At the moment, Internet Router is with all acls and nat for the corporate. Sooner or later, all acls and nat will have to be migrated to new ASA unit.
Can anyone share ideas on this?
Thanks
.
Solved! Go to Solution.
07-31-2014 11:35 PM
Hi,
Yes... I agree with your proposed design..... rather doing hairpinning and do all workaround, this would be the straight method which will make the things much simpler....
Even it would be better if you bring ASA in between router and core switch.... i mean internet facing side (outside) interface of ASA will face towards router and LAN facing (inside) interface will get connected to core router..... then you can make site to site and anyconnect configured on the ASA itself and you can make the router to just do routing towards internet..... But based on your present production and impact you can decide how you want to migrate....
Regards
Karthik
07-31-2014 06:30 AM
Hi,
Yes....
You need have same-security traffic permit command....
same-security-traffic permit inter-interface
No-NAT for (ouside, outside) <L2L><L2L>
Required rules needs to be permitted in L2L ACL's....
Hope as you said your router will take care of the NAT / ACL to get in to the LAN network....
Regards
Karthik
07-31-2014 06:38 AM
Hi Karthik,
Thanks very much for the reply.
I'm going to assign public ip address on asa's outside interface and another public ip address on the router.
When I set up a site-to-site vpn on remote site, can I just go with the same destination on my end?
For example, if remote site requires 10.1.1.0/24 as destination from my end, is it okay to configure as we normally configure a site-to-site VPN?
I have configured a default route pointing to the router's interface on ASA5545. Is this sufficient for all traffic heading inside?
Cheers
Thanks,
John
07-31-2014 06:58 AM
Hi,
Please confirm your design if my understanding is correct or not
Over All Design:
Remote Site <-->Internet<--->Your Site ASA<--->Router<--->LAN Core<--->LAN
Concept Design:
Your Site ASA(outside)----(outside)Internet Router(Inside) Core LAN
If so on your ASA... you need to have the default route pointed to public interface of the router....
in this case you need to NAT (ouside,outside) with public ip for your L2L source......
So the NATed public IP will hit the router and in router you need to do a NAT once again to reach your internal LAN.....
Make sure that your crypto ACL's is updated accordingly.....
Regards
Karthik
07-31-2014 07:38 AM
Thanks again.
Physical design is as below.
Internet router is the internet-facing device and asa is hanging on the internet router.
And I'll be terminating VPN on 201.2.1.200.
Remote site
II
II
Internet Router ====== ASA
II
II
Core LAN
07-31-2014 08:39 PM
Hi,
Why can't you have a design like this....
Your Internet Router <-->ASA<-->Core.... in this case you can achieve it much easier...
Regards
Karthik
07-31-2014 10:32 PM
Hi,
Thanks for your reply.
I totally agree. I have expressed my concern over this and complexity going forward when it needs to be fully migrated to asa.
Now we have decided to run a connection between ASA and core switch and have a static route configured on core switch destined to tunneled remote network via ASA and out to router. This way we can slowly migrate Anyconnect users to ASA and other current site-to-site VPNs configured on the internet router.
Do you see any potential issues with this?
07-31-2014 11:35 PM
Hi,
Yes... I agree with your proposed design..... rather doing hairpinning and do all workaround, this would be the straight method which will make the things much simpler....
Even it would be better if you bring ASA in between router and core switch.... i mean internet facing side (outside) interface of ASA will face towards router and LAN facing (inside) interface will get connected to core router..... then you can make site to site and anyconnect configured on the ASA itself and you can make the router to just do routing towards internet..... But based on your present production and impact you can decide how you want to migrate....
Regards
Karthik
08-07-2014 10:27 AM
Thanks Karthik,
08-07-2014 10:27 AM
Hi,
Can you please share your L2L configs of both the sides?
Also you can check by enabling debug crypto isakmp 128?
Because when you initiate from asa 8.2 traffic is not getting initiated or tunnel phase 1/2 not getting through..... do you have the proper routing enabled from the local LAN to FW....
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide