Is it possible to have a site to site ipsec vpn with two asa5510 with one being behind a dsl router?

Currently I have one asa5510 firewall with a public address and another behind a netgear dgnd3300 modem/route, is it possible to create a site to site vpn in this scenerio?
kwoukAsked:
Who is Participating?
 
kwoukConnect With a Mentor Author Commented:
Ok, I first want to say thanks for all the comments, secondly I want to tell you how I got it to work.

I used the dgnd3300 to forward ports 50,51,500 and 4500 to my outside asa interface

I used the dgnd3300 and put the outside address of the asa as the dmz server

I used the dgnd3300 inside address as the gateway for the asa

I set the peer on the second asa to find the public wan address of the dgnd3300

I made sure the policies, encryption, and crypto maps matched on both asa's through command line (asdm just causes more problems)

Found out the hard way that the crypto maps cannot use "any" in source or destination networks

pfs needs to be disabled

nat-t turned on

reverse route injection turned on.

And it works!!!
0
 
Rick_O_ShayCommented:
In general if you can reach it you can create a tunnel to it. You may need to assign a NAT address for it on the dgnd3300.
0
 
kwoukAuthor Commented:
I cannot manually nat it though
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
MikeKaneCommented:
Is the modem/router acting as a router or a modem?  

If its a modem, then the ASA would have your DSL connection info (i.e. PPPOE) or your DSL static IP.   Very straightforward setup.

If its a router, then your device has the external IP and has a private subnet range for the internal network.   In this case, do you have a range of IP addresses from your DSL or just the 1 single IP?   Is the IP static or Dynamic?  

If the IP is dynamic, then the tunnel can be setup for a static to dynamic setup with the tunnel builds coming only from the dynamic IP if the the modem/router supports IPSEC passthrough.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Otherwise, you should be able to either assign a static NAT or a port forward from the router to the ASA and build a ststic to static VPN.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml
0
 
kwoukAuthor Commented:
The gateway is a modem/router a netgear dgnd3300 I only have the one dynamic wan address.

Are you suggesting I use the ASA as the modem?

0
 
MikeKaneCommented:
Almost all ISP DSL modem/routers can act as either a Gateway router where the device handles authentication to the ISP, NAT, etc...  or as a DSL modem which only does the signalling and the next inline device (your ASA) would then need to handle the PPPOE authentication and NAT tot he rest of the internal network.

I went and checked the manual for that device...  ftp://downloads.netgear.com/files/DGND3300_UM_12Mar09.pdf     and although the manual,on page 111, states it does Bridged mode, in the Setup section, I can see no options to change from routed mode to bridge mode....     You might want to look at your web interface to see if it obvious how to do this.     Please note that if you put the device into bridge mode, you will lose the wireless capabilities of the device.    

If the device must remain in routed mode, then you need to port forward certain ports to the inside device to support VPN.   You need protocol 50 and 51 and UDP 500 (4500).  You must also use NAT-T on the netgear for this to work.


0
 
decoleurCommented:
what you could do is set up an EasyVPN client server config with the ASA behind the router always initiating the tunnel to the ASA with the public address.

It is a pretty painless config. once the tunnel is set up the traffic is bidirectional, you just have to have something trigger it from the natted side. I think you could use a SLA Monitor with Object tracking to kick it off automagically.

hope this helps,

-t
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.