Cisco IPSec Site-to-Site VPN Config based on ASA5505-50-BUN-K9

Hi,

I'd like a scenario as below:

LAN1 ---> ASA5505-50-BUN-K9 --- NAT/Firewall by ISP ---> ISP --> Internet ---> Public IP --> ASA5505-50-BUN-K9 --> LAN2


I'd like a site to site IPSec VPN but LAN1 will always initiate and will be always so that LAN2 can reach LAN1 always.

Why I want LAN1 VPN Gateway to always initiate is that LAN2 VPN Gateway will never see LAN1 VPN Gateway since it is behind an ISP NAT while LAN1 VPN Gateway can always reach out to LAN2 VPN Gateway.

Is this scenario going to be possible?

Regards,
W
williamwlkAsked:
Who is Participating?
 
max_the_kingCommented:
Hi,
i'm afraid you won't be able to accomplish that, since you need to reach a public ip address on the firewall that terminate the ipsec tunnel (site 1) and the router is managed by your isp.
You should ask your ISP at site 1 to delete nat configuration on their router and manage the public IP addressing with your ASA (by assigning a public IP of your pool on the outside interface of your ASA).
hope this helps
max
0
 
williamwlkAuthor Commented:
Max,

Sorry I can't ask my ISP to change the design of the Infra.

But I can change my infra in my office.

So, instead of site to site, I will change my office to mobile VPN Users.

Users/Servers ---> VPN Client ---- NAT ---- ISP --- Internet ---- Public IP --> HQ VPN IPSec Gateway ---> HQ LAN


This should absolutely work? right?

W
0
 
max_the_kingCommented:
Yes, it will work, as long as you have internet connectivity.
You may want to set the needed timeout on the vpn client session (on ASA vpn server side), otherwise the session will disconnect after 30 min inactivity by default (which may as well be correct if users are instructed to close vpn connection when they do not need it, and open it up when they need to connect).
For example:
group-policy yourpolicy attributes
 vpn-idle-timeout 480
 
if you want allow up to 8 hours of inactivity

hope this helps
max
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Ernie BeekExpertCommented:
0
 
williamwlkAuthor Commented:
Thanks Guys! Gotta love it.

W
0
 
williamwlkAuthor Commented:
Cheers!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.