Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
644
Views
0
Helpful
4
Replies

IPSec VPN tunnel question

harringtonrd
Level 1
Level 1

‎10-29-2010 08:48 AM - edited ‎02-21-2020 04:56 PM

For a Cisco ASA 5505, Vlan1 (Outside ) is connected to the Internet, but Vlan2 (Inside) is

not connected to anything.  Can the IPSec VPN tunnel be established in this situation.

I am unable to verify it.  Please help!

Thank you!

Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎10-29-2010 09:01 AM

Not sure what kind of VPN you are implementing here. If the other end can initiate vpn traffic, the traffic could bring up the tunnel and you can verify it on ASA 5505 by "show crypto isa sa" and 'show crypto ipsec sa".

0 Helpful

harringtonrd
Level 1
Level 1
In response to Yudong Wu

‎10-29-2010 01:54 PM

Let me rephrase my question.

On the back of the ASA 5505, there are 8 ethernet ports, port 0 through port 7.

Port 0 of my ASA 5505 is connected to the Internet.  Do I need to connect any

computers to port 1 through 7 in oder to bring up the VPN tunnel?

Thanks,

0 Helpful

Yudong Wu
Level 7
Level 7
In response to harringtonrd

‎10-29-2010 02:11 PM

I think it is not nessary. Saying you have a lan-2-lan vpn, you can initiate the traffic (the traffic need to go into tunnel) from the other end to bring the tunnel up.

If the traffic has to be initiated from ASA 5505, then you have to connect a PC to it to generate some traffic to bring up vpn tunnel.

L2L IPSec tunnel won't come up by itself unless there is related traffic which need to be sent via tunnel.

0 Helpful

stevjarbeck
Level 1
Level 1

‎10-29-2010 04:45 PM

The issue seems to be with NAT.

try this:

access-list Inside_nat0_outbound extended permit ip {inside network} 255.255.255.0 {VPN network} 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any (VPN network) 255.255.255.0

nat (insidel) 0 access-list Inside_nat0_outbound

so...

INSIDE is 10.10.10.x

VPN is 10.10.254.x

example:

access-list Inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.10.254.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip any 10.10.254.0 255.255.255.0 The issue is with NAT.

make certain that it is added to the PAT pool.

global (inside) 1 interface
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

Hopefully this helps, let me know.

Steve

0 Helpful
Customers Also Viewed These Support Documents