How do I set up one ASA to send two VLANs over a VPN tunnel?

Posted on 2008-11-04
Last Modified: 2010-04-21
My job recently changed due to a relocation, so now I work from home.

I have one static IP through my ISP.  As a residential customer, I cannot get two statics on one DSL line and of course, I can't have both DHCP and Static on one line at the same time.  I am trying to figure this out without upgrading to a business line where two statics are allowed.

I currently use a VPN connection back to the office through my computer.  Now I need to add an ASA for an IP phone.

My computer and IP phone have to be on separate VLANs to work correctly.  How so I send both back to the office with only one Static IP? (two VLANs over one VPN tunnel)?
Question by:unitedtelcom
    LVL 5

    Assisted Solution

    Do you have access to configure the VPN defice at your work place? What device is at your work place? The one static from your ISP is not a problem.

    The VPN tunnel from your computer will have to transfer to the ASA and you will need some one on the other end if it isn't you to configure the VPN tunnel.

    You will need the following for the ASA

    crypto maps specifying the peer IP of your work place. ( firewall IP address) the encryption and acl to be passed through the tunnel(interesting traffic).
    and a tunnel group specifying the IP address(if using version 7.0)
    Acl specifying the traffic going to the work place(interesting traffic) You will also need the hosts from your work place that you need to talk to.

    Basically to give step by step you need to give more information.
    Do you have have access to configure the other device? If not can you get someone to set it up at the work place?
    Do you know the hosts you need access to through the tunnel?
    LVL 28

    Accepted Solution

    Let's say the two VLAN's at your house are and and that you have a single network at the office which is  If the firewall at the main office has an IP address of, then here are the commands you could use to do this:

    access-list outside_10_cryptomap extended permit ip
    access-list outside_10_cryptomap extended permit ip
    access-list inside_nat0_outbound extended permit ip
    access-list inside_nat0_outbound extended permit ip
    nat (inside) 0 access-list inside_nat0_outbound
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto map outside_map 10 match address outside_10_cryptomap
    crypto map outside_map 10 set peer
    crypto map outside_map 10 set transform-set ESP-AES-256-SHA
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption aes-256
     hash sha
     group 2
     lifetime 86400
    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
     pre-shared-key <whatever_preshared_key_you_want_to_use>

    If you don't want to use AES, then you can change it to 3DES or something else for the IPSEC and ISAKMP portions.

    Author Closing Comment

    Thank you so much. My guys at the office tell me this is what they were looking for.  I'll be set up early next week with my phone in hand.

    Thanks again for your time and effort!
    LVL 28

    Expert Comment

    Good luck!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Suggested Solutions

    I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
    Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now