?
Solved

Cisco IPSec Site-to-Site VPN Config based on  ASA5505-50-BUN-K9

Posted on 2012-09-12
6
Medium Priority
?
1,207 Views
Last Modified: 2012-09-12
Hi,

I'd like a scenario as below:

LAN1 ---> ASA5505-50-BUN-K9 --- NAT/Firewall by ISP ---> ISP --> Internet ---> Public IP --> ASA5505-50-BUN-K9 --> LAN2


I'd like a site to site IPSec VPN but LAN1 will always initiate and will be always so that LAN2 can reach LAN1 always.

Why I want LAN1 VPN Gateway to always initiate is that LAN2 VPN Gateway will never see LAN1 VPN Gateway since it is behind an ISP NAT while LAN1 VPN Gateway can always reach out to LAN2 VPN Gateway.

Is this scenario going to be possible?

Regards,
W
0
Comment
Question by:williamwlk
  • 3
  • 2
6 Comments
 
LVL 17

Accepted Solution

by:
max_the_king earned 1600 total points
ID: 38390254
Hi,
i'm afraid you won't be able to accomplish that, since you need to reach a public ip address on the firewall that terminate the ipsec tunnel (site 1) and the router is managed by your isp.
You should ask your ISP at site 1 to delete nat configuration on their router and manage the public IP addressing with your ASA (by assigning a public IP of your pool on the outside interface of your ASA).
hope this helps
max
0
 

Author Comment

by:williamwlk
ID: 38390287
Max,

Sorry I can't ask my ISP to change the design of the Infra.

But I can change my infra in my office.

So, instead of site to site, I will change my office to mobile VPN Users.

Users/Servers ---> VPN Client ---- NAT ---- ISP --- Internet ---- Public IP --> HQ VPN IPSec Gateway ---> HQ LAN


This should absolutely work? right?

W
0
 
LVL 17

Assisted Solution

by:max_the_king
max_the_king earned 1600 total points
ID: 38390301
Yes, it will work, as long as you have internet connectivity.
You may want to set the needed timeout on the vpn client session (on ASA vpn server side), otherwise the session will disconnect after 30 min inactivity by default (which may as well be correct if users are instructed to close vpn connection when they do not need it, and open it up when they need to connect).
For example:
group-policy yourpolicy attributes
 vpn-idle-timeout 480
 
if you want allow up to 8 hours of inactivity

hope this helps
max
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 400 total points
ID: 38390733
0
 

Author Comment

by:williamwlk
ID: 38393433
Thanks Guys! Gotta love it.

W
0
 

Author Closing Comment

by:williamwlk
ID: 38393437
Cheers!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question