Re: IPSec VPN tunnel question

harringtonrd · ‎10-29-2010

For a Cisco ASA 5505, Vlan1 (Outside ) is connected to the Internet, but Vlan2 (Inside) is

not connected to anything. Can the IPSec VPN tunnel be established in this situation.

I am unable to verify it. Please help!

Thank you!

Yudong Wu · ‎10-29-2010

Not sure what kind of VPN you are implementing here. If the other end can initiate vpn traffic, the traffic could bring up the tunnel and you can verify it on ASA 5505 by "show crypto isa sa" and 'show crypto ipsec sa".

harringtonrd · ‎10-29-2010

Let me rephrase my question.

On the back of the ASA 5505, there are 8 ethernet ports, port 0 through port 7.

Port 0 of my ASA 5505 is connected to the Internet. Do I need to connect any

computers to port 1 through 7 in oder to bring up the VPN tunnel?

Thanks,

Yudong Wu · ‎10-29-2010

I think it is not nessary. Saying you have a lan-2-lan vpn, you can initiate the traffic (the traffic need to go into tunnel) from the other end to bring the tunnel up.

If the traffic has to be initiated from ASA 5505, then you have to connect a PC to it to generate some traffic to bring up vpn tunnel.

L2L IPSec tunnel won't come up by itself unless there is related traffic which need to be sent via tunnel.

stevjarbeck · ‎10-29-2010

The issue seems to be with NAT.

try this:

access-list Inside_nat0_outbound extended permit ip {inside network} 255.255.255.0 {VPN network} 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any (VPN network) 255.255.255.0

nat (insidel) 0 access-list Inside_nat0_outbound

so...

INSIDE is 10.10.10.x

VPN is 10.10.254.x

example:

access-list Inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.254.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 10.10.254.0 255.255.255.0 The issue is with NAT.

make certain that it is added to the PAT pool.

global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Hopefully this helps, let me know.

Steve