Solved: Re: L2L tunnel btwn two sites. Can I initiate L2L on Sub-interfa

Eric Boadu · ‎04-30-2010

Can I initiate L2L IPSec tunnel with below configuration? Or Can I use the external IP address to established (remote peer) IPSec L2L tunnel without physically assigning to the outside interface? Right now outside interface is private facing ISP. I don’t have the leverage to add router. Please let me know how and if below example configuration can meet my situation. The sub-interface IP address will be connecting to the ISP from the ASA 5520 firewall. My PPP link between the two sites is going under maintenance for long time. Thank you in advance!

Example:

interface GigabitEthernet0/0

description untrusted link

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.5

description untrusted link

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end.

Or

interface GigabitEthernet0/0

no shut

interface GigabitEthernet0/0.5

description untrusted link

encapsulation dot1Q 5

nameif outside

security-level 0

ip address 191.161.4.1 255.255.255.0 standby 191.161.4.2<<Public IP

interface GigabitEthernet0/0.10

description untrusted link

encapsulation dot1Q 10

nameif outside

security-level 0

ip address 10.1.10.2 255.255.255.248 standby 10.1.10.3 << private IP to ISP core end.

Thanks,

Eric

Federico Coto Fajardo · ‎04-30-2010

Eric,

If the ASA has a private IP, you can terminate the L2L on the public IP (of the router in front) and create a 1-1 STATIC NAT. In this way, VPN traffic will be sent through the ASA.

Another option (I have not done it, but I think it should work) is terminating the VPN on the subinterface of the ASA. As long as the IP is routable and reachable it should work.

Federico.

View solution in original post

Eric Boadu · ‎04-30-2010

Federico, any advice on this config?

Federico Coto Fajardo · ‎04-30-2010

Hi Eric,

If I understand correctly, you want to terminate the L2L on the ASA.

You want to terminate the tunnel on the IP address of the outside interface? Or you want to terminate the tunnel on a subinterface IP?

Either way you should be able to do it, since you can enable ISAKMP and apply the crypto map on both physical interface or subinterface.

What's exactly the issue that you're facing?

Federico.

Eric Boadu · ‎04-30-2010

Thank you Federico, My firewall is directly connected to ISP via 10.1.10.2 on outside interface.

Now, since this is non routable IP address on my outside interface facing ISP; I wanted to create sub-interface on the outside and assign routable IP address 191.161.4.1 to it. I wanted to make sure that I can establish IPSec L2L tunnel via the web. Inside is 172.16.10.0/24

Thanks,

Eric

Federico Coto Fajardo · ‎04-30-2010

Eric,

If the ASA has a private IP, you can terminate the L2L on the public IP (of the router in front) and create a 1-1 STATIC NAT. In this way, VPN traffic will be sent through the ASA.

Another option (I have not done it, but I think it should work) is terminating the VPN on the subinterface of the ASA. As long as the IP is routable and reachable it should work.

Federico.

Eric Boadu · ‎04-30-2010

Ok great, I will go with the sub-interface configuration. The router in front of my firewall is managing by the ISP and sharing the same public IP address with many customers. Thank you so much Federico!

L2L tunnel btwn two sites. Can I initiate L2L on Sub-interface?