?
Solved

Is it possible to have a site to site ipsec vpn with two asa5510 with one being behind a dsl router?

Posted on 2010-01-02
7
Medium Priority
?
450 Views
Last Modified: 2013-12-14
Currently I have one asa5510 firewall with a public address and another behind a netgear dgnd3300 modem/route, is it possible to create a site to site vpn in this scenerio?
0
Comment
Question by:kwouk
7 Comments
 
LVL 21

Expert Comment

by:Rick_O_Shay
ID: 26162651
In general if you can reach it you can create a tunnel to it. You may need to assign a NAT address for it on the dgnd3300.
0
 

Author Comment

by:kwouk
ID: 26163232
I cannot manually nat it though
0
 
LVL 33

Expert Comment

by:MikeKane
ID: 26163278
Is the modem/router acting as a router or a modem?  

If its a modem, then the ASA would have your DSL connection info (i.e. PPPOE) or your DSL static IP.   Very straightforward setup.

If its a router, then your device has the external IP and has a private subnet range for the internal network.   In this case, do you have a range of IP addresses from your DSL or just the 1 single IP?   Is the IP static or Dynamic?  

If the IP is dynamic, then the tunnel can be setup for a static to dynamic setup with the tunnel builds coming only from the dynamic IP if the the modem/router supports IPSEC passthrough.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Otherwise, you should be able to either assign a static NAT or a port forward from the router to the ASA and build a ststic to static VPN.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:kwouk
ID: 26165720
The gateway is a modem/router a netgear dgnd3300 I only have the one dynamic wan address.

Are you suggesting I use the ASA as the modem?

0
 
LVL 33

Expert Comment

by:MikeKane
ID: 26171644
Almost all ISP DSL modem/routers can act as either a Gateway router where the device handles authentication to the ISP, NAT, etc...  or as a DSL modem which only does the signalling and the next inline device (your ASA) would then need to handle the PPPOE authentication and NAT tot he rest of the internal network.

I went and checked the manual for that device...  ftp://downloads.netgear.com/files/DGND3300_UM_12Mar09.pdf     and although the manual,on page 111, states it does Bridged mode, in the Setup section, I can see no options to change from routed mode to bridge mode....     You might want to look at your web interface to see if it obvious how to do this.     Please note that if you put the device into bridge mode, you will lose the wireless capabilities of the device.    

If the device must remain in routed mode, then you need to port forward certain ports to the inside device to support VPN.   You need protocol 50 and 51 and UDP 500 (4500).  You must also use NAT-T on the netgear for this to work.


0
 
LVL 18

Expert Comment

by:decoleur
ID: 26194913
what you could do is set up an EasyVPN client server config with the ASA behind the router always initiating the tunnel to the ASA with the public address.

It is a pretty painless config. once the tunnel is set up the traffic is bidirectional, you just have to have something trigger it from the natted side. I think you could use a SLA Monitor with Object tracking to kick it off automagically.

hope this helps,

-t
0
 

Accepted Solution

by:
kwouk earned 0 total points
ID: 26195236
Ok, I first want to say thanks for all the comments, secondly I want to tell you how I got it to work.

I used the dgnd3300 to forward ports 50,51,500 and 4500 to my outside asa interface

I used the dgnd3300 and put the outside address of the asa as the dmz server

I used the dgnd3300 inside address as the gateway for the asa

I set the peer on the second asa to find the public wan address of the dgnd3300

I made sure the policies, encryption, and crypto maps matched on both asa's through command line (asdm just causes more problems)

Found out the hard way that the crypto maps cannot use "any" in source or destination networks

pfs needs to be disabled

nat-t turned on

reverse route injection turned on.

And it works!!!
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 7 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question