Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
339
Views
0
Helpful
3
Replies

How to create connection between DMZ and branch office ASA

Go to solution
LightstatAshok
Level 1
Level 1

‎03-07-2017 01:45 PM - edited ‎03-12-2019 02:01 AM

Hi,

I have attached a hand drawn sketch and here is the question.

Have 2 ASA 5510s in the main office. One (the main co. internet firewall (192.168.1.0/24) has an L2L ipSec VPN tunnel with the branch office (5508) (internal 172.16.0.0/16) and no issues here.

The 2nd 5510 in the main office has web server and some other devices which need to be connected with the Branch office as well. Is there a way I can do that without having to setup another L2L tunnel ? And some how make use of all the main office network devices being in the same closet and create some kind of route? 

Would appreciate suggestions.

Thanks,

Ashok

Labels:
Preview file
77 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AndreaTornaghi
Level 1
Level 1

‎03-13-2017 03:20 PM

Hi Ashok,

do you have the possibility to insert a layer 3 device that it is not the ASA? 

From your schema seems that the two ASA are not able to speak between themselves, so in this case the only solution is to configure a new VPN tunnel.
Otherwise you can consider to create a point to point link between the two ASA, using a dedicated interface, and use it for routing the traffic from a 5510 to the other 5510.

Kind Regards 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
AndreaTornaghi
Level 1
Level 1

‎03-13-2017 03:20 PM

Hi Ashok,

do you have the possibility to insert a layer 3 device that it is not the ASA? 

From your schema seems that the two ASA are not able to speak between themselves, so in this case the only solution is to configure a new VPN tunnel.
Otherwise you can consider to create a point to point link between the two ASA, using a dedicated interface, and use it for routing the traffic from a 5510 to the other 5510.

Kind Regards 

0 Helpful

Go to solution
LightstatAshok
Level 1
Level 1
In response to AndreaTornaghi

‎03-14-2017 09:49 AM

Hi Andrea,

Actually I did connect the two switches, which were connected to the 'internal' interfaces of both the 5510s, so had a direct link there (which is same as suggested by your second paragraph). Then with the help of Cisco TAC, they setup the ACL and route between them using the VPN tunnel. I appreciate your taking the time and suggestion, and will mark this as the 'Correct Answer'

Thanks,

Ashok

0 Helpful

Go to solution
LightstatAshok
Level 1
Level 1
In response to LightstatAshok

‎03-14-2017 09:59 AM

Hi,

'using the VPN tunnel' I meant using the already L2L ipsec Tunnel between 192.168.1.0/24 5510 and 5508.

Just wanted to make sure I put it there.

Thanks

Ashok

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card