Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2953
Views
0
Helpful
4
Replies

Site-to-Site VPN from ASA private IP to ASA public IP

Francisco Ordas
Level 1
Level 1

‎01-15-2013 07:56 AM

Hello,

We have site A with ASA 520, connected to internet with public IP, and site B connected to internet with private IP, because internet connection is shared with other companies in the building (we can't modify internet access point).

We would like to install another ASA 520 in site B, behind the private IP, and create a VPN IPSec between both site.

Is it possible to initiate a VPN site-to-site IPSec tunnel between an ASA with private IP and another with public IP ?

Thanks very much

Francisco

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎01-15-2013 08:45 AM

Hi,

One option that might be better suited for your situation would be to use EasyVPN / Hardware VPN Client.

In this case the site which cant use a Static Public IP address would act as a VPN Client. The actual ASA would connect to the central ASA with a VPN connection as long as it had some sort of Internet connectivity. (even through a shared public PAT IP address).

Therefore you could connect the 2 sites.

Here are some link for reference (both Cisco and Non Cisco)

ASA to PIX Server-Client setup (Cisco Document)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805c5ad9.shtml

ASA5510 and ASA5505 Server-Client setup (Non Cisco)

http://www.petenetlive.com/KB/Article/0000337.htm

- Jouni

0 Helpful

Francisco Ordas
Level 1
Level 1
In response to Jouni Forss

‎01-16-2013 12:52 AM

Thanks very much Jouni

0 Helpful

Karsten Iwen
VIP
VIP

‎01-15-2013 09:40 AM

Just to add on Jounis answer (that is probably the best/easiest solution):

1) This setup with the hardware-client only works with the 5505, you can't use an ASA 5520 on the branch with the private IP for that. But the 5505 will probably be enough.

2) For your original question: Yes, it would also work with a traditional VPN-setup, but only the branch can initiate the connection.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Francisco Ordas
Level 1
Level 1
In response to Karsten Iwen

‎01-16-2013 12:53 AM

Hi Karsten,

Thanks for this note

0 Helpful
Customers Also Viewed These Support Documents