ASA 5505 to ASA5505 L2L but with a twist?

drkatdrkat Banned Posts: 703
I have a head end site that is using a static IP tied to a 5505 running 8.2 - and inside on the network. I also have remote offices that are using broadband connections (dynamic ip) with 5505's at each location running 8.2 and are subsequently on

I need to have site to site connectivity for each of the remote locations

now what I was figuring was to assign l2l tunnels and nat'ing the to a address so I dont need to change the IP's of the inside nets at the remote ends.
Example: Site A Site B

but they retain their internal schemes
I was debating on ezvpn or l2l tunnel-groups however.... the kicker is this I need to tunnel everything except.... one network which is used to pass SIP traffic (this would be an external address not internal)

I know I can use excluded lists on the ezvpn but that doesnt work for hardware clients - I could prolly build the l2l and then not permit the one network into the tunnel but I'm trying to find the best design option here.

Any assistance would be appreciated.


  • drkatdrkat Banned Posts: 703
    This has been resolved
  • QHaloQHalo Member Posts: 1,488
    Care to share how you resolved it in case someone else asks? Plus its good for learning. :)
  • drkatdrkat Banned Posts: 703

    So we ditch EZVPN all together - It does not allow excluded network lists to be used on the ASA as hardware client, IOS yes but no ASA.

    So we built a dynamic vpn on the one side and a static l2l on the other side, and just exempted the traffic that needed exempt

    example: Head End ASA

    route inside <gateway> tunneled <== this allows us to send all traffic tunneled to a core switch that will handle our routing for the lan

    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dynmap 65535 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dynmap 65535 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dynmap 65535 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dynmap 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynmap
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

    This allows us to use the DefaultL2LGroup so we configure our PSK in there

    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *****


    On the remote peer, we set up a site to site vpn and exempt the traffic we dont want going into the tunnel
Sign In or Register to comment.