L2L creation Question

mingram27 · ‎04-17-2012

Good Evening,

Please note the following question --> what is "triple redundant endpoints"?

Here is the scenario

- support company needs to VPN to specific LAN on my network

- provided the support company with 172.16.2.0/24

- support company says they cannot use that subnet because they are using the same subnet connection to another company

- (not sure why they can't use it since its a seperate VPN, but whatever)

- the entire 172.16.31.0 /24 is being used by my company

- so the support company states "create new L2L connection between the triple redundant endpoints and my FW"

- Can someone elaborate on the above or at least suggest another solution?

- Like what else could I do to provide VPN access for the support company to specific servers on my LAN that does not disrupt

my IP schema.

I would really appreciate any help with this.

Thank you

Jouni Forss · ‎04-17-2012

Hi,

I got to admit I have never even heard anyone use the term "triple redundant endpoints"

My first reaction was ->

I'd imagine it might be possible to configure more than 1 peer IP address for the L2L VPN connection. I have never really checked how it works

On to the topic,

Do you mean you have the local network 172.16.2.0/24 network the support company has to reach? If thats the case then the overlapping networks aint a problem. You can NAT the whole network to some other private address range /24 network before the traffic enters the new L2L VPN tunnel.

Also to even help you abit I would need to know:

What device would you be using for the L2L VPN?
What software is the device running?
Have you agreed on the Phase1 and Phase2 parameters (except for the network that will be visible to the support company)

- Jouni

mingram27 · ‎04-18-2012

What device would you be using for the L2L VPN?

answer --> ASA 5520

What software is the device running?

answer --> ver 8.3

Have you agreed on the Phase1 and Phase2 parameters (except for the network that will be visible to the support company)

answer --> DH Grp2, 3DES, SHA (phase 1 and 2) and PFS

Hope that answers your question. Thank you very much for your help with this and I am glad I am not the only one that has not heard of "triple redundant endpoints"

Jouni Forss · ‎04-18-2012

Hi,

Your ASA L2L VPN configuration might look something like this:

interface names outside and inside
Use equal mask on the LOCAL and NAT objects

object network L2LVPN-LOCAL-LAN

subnet

object network L2LVPN-NAT-LAN

subnet

object network L2LVPN-DESTINATION

subnet

nat (inside,outside) source static L2LVPN-LOCAL-LAN L2LVPN-NAT-LAN destination static L2LVPN-DESTINATION L2LVPN-DESTINATION

access-list L2L-VPN-CONNECTION-TRAFFIC permit ip object L2LVPN-NAT-LAN object L2LVPN-DESTINATION

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map 1 match address L2L-VPN-CONNECTION-TRAFFIC

crypto map 1 set peer

crypto map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map 1 set pfs 2

crypto map 1 set reverse-route

crypto map interface outside

crypto ikev1 enable outside

group-policy L2LVPN-GROUP-POLICY internal

group-policy L2LVPN-GROUP-POLICY attributes

vpn-tunnel-protocol ikev1

tunnel-group type ipsec-l2l

tunnel-group general-attributes

default-group-policy L2LVPN-GROUP-POLICY

tunnel-group ipsec-attributes

ikev1 pre-shared-key

Might have forgotten something but should be about it. Just need to make sure the Phase1 and Phase2 parameters match

Also you need to make sure that the traffic from the remote network is allowed to the hosts you want them to access.

- Jouni

L2L creation Question

Automating Risk Meter Creation

VPC creation

Question About Transceiver Compatibility

WxCC Tenant creation

Création en Direct d'une Fabric SD-Access : Démo et Étapes Clés (Q&R)