Is it possible to have a site to site ipsec vpn with two asa5510 with one being behind a dsl router?

Posted on 2010-01-02
Last Modified: 2013-12-14
Currently I have one asa5510 firewall with a public address and another behind a netgear dgnd3300 modem/route, is it possible to create a site to site vpn in this scenerio?
Question by:kwouk
    LVL 21

    Expert Comment

    In general if you can reach it you can create a tunnel to it. You may need to assign a NAT address for it on the dgnd3300.

    Author Comment

    I cannot manually nat it though
    LVL 33

    Expert Comment

    Is the modem/router acting as a router or a modem?  

    If its a modem, then the ASA would have your DSL connection info (i.e. PPPOE) or your DSL static IP.   Very straightforward setup.

    If its a router, then your device has the external IP and has a private subnet range for the internal network.   In this case, do you have a range of IP addresses from your DSL or just the 1 single IP?   Is the IP static or Dynamic?  

    If the IP is dynamic, then the tunnel can be setup for a static to dynamic setup with the tunnel builds coming only from the dynamic IP if the the modem/router supports IPSEC passthrough.

    Otherwise, you should be able to either assign a static NAT or a port forward from the router to the ASA and build a ststic to static VPN.

    Author Comment

    The gateway is a modem/router a netgear dgnd3300 I only have the one dynamic wan address.

    Are you suggesting I use the ASA as the modem?

    LVL 33

    Expert Comment

    Almost all ISP DSL modem/routers can act as either a Gateway router where the device handles authentication to the ISP, NAT, etc...  or as a DSL modem which only does the signalling and the next inline device (your ASA) would then need to handle the PPPOE authentication and NAT tot he rest of the internal network.

    I went and checked the manual for that device...     and although the manual,on page 111, states it does Bridged mode, in the Setup section, I can see no options to change from routed mode to bridge mode....     You might want to look at your web interface to see if it obvious how to do this.     Please note that if you put the device into bridge mode, you will lose the wireless capabilities of the device.    

    If the device must remain in routed mode, then you need to port forward certain ports to the inside device to support VPN.   You need protocol 50 and 51 and UDP 500 (4500).  You must also use NAT-T on the netgear for this to work.

    LVL 18

    Expert Comment

    what you could do is set up an EasyVPN client server config with the ASA behind the router always initiating the tunnel to the ASA with the public address.

    It is a pretty painless config. once the tunnel is set up the traffic is bidirectional, you just have to have something trigger it from the natted side. I think you could use a SLA Monitor with Object tracking to kick it off automagically.

    hope this helps,


    Accepted Solution

    Ok, I first want to say thanks for all the comments, secondly I want to tell you how I got it to work.

    I used the dgnd3300 to forward ports 50,51,500 and 4500 to my outside asa interface

    I used the dgnd3300 and put the outside address of the asa as the dmz server

    I used the dgnd3300 inside address as the gateway for the asa

    I set the peer on the second asa to find the public wan address of the dgnd3300

    I made sure the policies, encryption, and crypto maps matched on both asa's through command line (asdm just causes more problems)

    Found out the hard way that the crypto maps cannot use "any" in source or destination networks

    pfs needs to be disabled

    nat-t turned on

    reverse route injection turned on.

    And it works!!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Suggested Solutions

        Over the past few years, small business and home owners have become so dependent on internet that a need for redundancy has arisen.    What happens when your small business or home / home office loses its internet connection?  The results c…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now