Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

How do I set up one ASA to send two VLANs over a VPN tunnel?

My job recently changed due to a relocation, so now I work from home.

I have one static IP through my ISP.  As a residential customer, I cannot get two statics on one DSL line and of course, I can't have both DHCP and Static on one line at the same time.  I am trying to figure this out without upgrading to a business line where two statics are allowed.

I currently use a VPN connection back to the office through my computer.  Now I need to add an ASA for an IP phone.

My computer and IP phone have to be on separate VLANs to work correctly.  How so I send both back to the office with only one Static IP? (two VLANs over one VPN tunnel)?
  • 2
2 Solutions
Do you have access to configure the VPN defice at your work place? What device is at your work place? The one static from your ISP is not a problem.

The VPN tunnel from your computer will have to transfer to the ASA and you will need some one on the other end if it isn't you to configure the VPN tunnel.

You will need the following for the ASA

crypto maps specifying the peer IP of your work place. ( firewall IP address) the encryption and acl to be passed through the tunnel(interesting traffic).
and a tunnel group specifying the IP address(if using version 7.0)
Acl specifying the traffic going to the work place(interesting traffic) You will also need the hosts from your work place that you need to talk to.

Basically to give step by step you need to give more information.
Do you have have access to configure the other device? If not can you get someone to set it up at the work place?
Do you know the hosts you need access to through the tunnel?
Let's say the two VLAN's at your house are and and that you have a single network at the office which is  If the firewall at the main office has an IP address of, then here are the commands you could use to do this:

access-list outside_10_cryptomap extended permit ip
access-list outside_10_cryptomap extended permit ip
access-list inside_nat0_outbound extended permit ip
access-list inside_nat0_outbound extended permit ip
nat (inside) 0 access-list inside_nat0_outbound
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 match address outside_10_cryptomap
crypto map outside_map 10 set peer
crypto map outside_map 10 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key <whatever_preshared_key_you_want_to_use>

If you don't want to use AES, then you can change it to 3DES or something else for the IPSEC and ISAKMP portions.
unitedtelcomAuthor Commented:
Thank you so much. My guys at the office tell me this is what they were looking for.  I'll be set up early next week with my phone in hand.

Thanks again for your time and effort!
Good luck!

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now