Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
15
Helpful
5
Replies

VPN Tunnels between Cisco ASAs with VLAN + Hairpin.

Go to solution
martinaire
Level 1
Level 1

‎03-17-2016 08:23 PM

I have two Cisco ASAs (5520 and 5505) both with version 9.1(7) with VPN Plus and Security Plus licenses. I'm trying to figure out a strategy to tunnel all internet traffic from a particular VLAN on the 5520 over to the 5505 for subsequent routing to internet (like a hairpin/u-turn). A few caveats:

  1. The 5505 has a dynamically assigned internet address.
  2. The 5505 occasionally has no devices powered on behind it, bringing inside interface(s) down (potentially causing issues for site-to-site).
  3. The 5520 cannot be an ezvpn client due to it's current role as a webvpn (anyconnect) server.

Let me know if I need to post my current config. Basically, I'm starting from scratch after multiple attempts.

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-18-2016 04:38 AM

  1. The 5505 has a dynamically assigned internet address.

You may use the following doc to configure the VPN and then this document to configure Hairping/U tuning


 2. The 5505 occasionally has no devices powered on behind it, bringing inside interface(s) down (potentially causing issues for site-to-site).

Make sure the inside interface is plugged to a switch so that it remains UP all the time.

 3. The 5520 cannot be an ezvpn client due to it's current role as a webvpn (anyconnect) server.

You can use normal dynamic to static VPN rather EZVPN tunnel.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-18-2016 04:38 AM

  1. The 5505 has a dynamically assigned internet address.

You may use the following doc to configure the VPN and then this document to configure Hairping/U tuning


 2. The 5505 occasionally has no devices powered on behind it, bringing inside interface(s) down (potentially causing issues for site-to-site).

Make sure the inside interface is plugged to a switch so that it remains UP all the time.

 3. The 5520 cannot be an ezvpn client due to it's current role as a webvpn (anyconnect) server.

You can use normal dynamic to static VPN rather EZVPN tunnel.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
martinaire
Level 1
Level 1
In response to Dinesh Moudgil

‎03-20-2016 05:37 PM

You answer was very helpful and exactly what I needed based on my question. However, in attempting to set this up, I realized that misstated the first caveat. The 5505 and 5520 both have dynamically assigned internet addresses. Is there a way to do ASA-to-ASA dynamic-to-dynamic? Thanks!

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to martinaire

‎03-20-2016 06:04 PM

ASA supports only RFC compliant method for updates used with dynamic DNS , not HTTP updates , like dyndns.org and others use.
i.e. https://tools.cisco.com/bugsearch/bug/CSCsk25102/?reffering_site=dumpcr

On ASA , it is not possible to configure tunnel between two dynamic peers.
You will need to have one static end to configure static to dynamic IP.

For routers, you can follow this link.
Hope this helps.
 

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
martinaire
Level 1
Level 1
In response to Dinesh Moudgil

‎03-20-2016 07:15 PM

All I have is the ASA 5505 and ASA 5520 both with dynamic IP addresses. Short of purchasing a static IP (which may not be possible), are there any other options to make this work with my current hardware? Thanks again.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to martinaire

‎03-20-2016 07:24 PM

I am afraid you would need at least one side to have static IP to terminate Dynamic to Static VPN tunnel. Usually dyndns works but it would not in the case of ASA. If you do have a router ahead of ASA, you could have used this document

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents