ASA 5505 to ASA5505 L2L but with a twist?
I have a head end site that is using a static IP tied to a 5505 running 8.2 - and inside on the 192.168.100.0/24 network. I also have remote offices that are using broadband connections (dynamic ip) with 5505's at each location running 8.2 and are subsequently on 192.168.1.0/24
I need to have site to site connectivity for each of the remote locations
now what I was figuring was to assign l2l tunnels and nat'ing the 192.168.1.0 to a 192.168.100.0 address so I dont need to change the IP's of the inside nets at the remote ends.
Example:
192.168.100.100 Site A
192.168.100.101 Site B
but they retain their internal schemes
I was debating on ezvpn or l2l tunnel-groups however.... the kicker is this I need to tunnel everything except.... one network which is used to pass SIP traffic (this would be an external address not internal)
I know I can use excluded lists on the ezvpn but that doesnt work for hardware clients - I could prolly build the l2l and then not permit the one network into the tunnel but I'm trying to find the best design option here.
Any assistance would be appreciated.
I need to have site to site connectivity for each of the remote locations
now what I was figuring was to assign l2l tunnels and nat'ing the 192.168.1.0 to a 192.168.100.0 address so I dont need to change the IP's of the inside nets at the remote ends.
Example:
192.168.100.100 Site A
192.168.100.101 Site B
but they retain their internal schemes
I was debating on ezvpn or l2l tunnel-groups however.... the kicker is this I need to tunnel everything except.... one network which is used to pass SIP traffic (this would be an external address not internal)
I know I can use excluded lists on the ezvpn but that doesnt work for hardware clients - I could prolly build the l2l and then not permit the one network into the tunnel but I'm trying to find the best design option here.
Any assistance would be appreciated.
Comments
-
QHalo
Member Posts: 1,488
Care to share how you resolved it in case someone else asks? Plus its good for learning.
-
drkat
Banned Posts: 703
Sure!
So we ditch EZVPN all together - It does not allow excluded network lists to be used on the ASA as hardware client, IOS yes but no ASA.
So we built a dynamic vpn on the one side and a static l2l on the other side, and just exempted the traffic that needed exempt
example: Head End ASA
route inside 0.0.0.0 0.0.0.0 <gateway> tunneled <== this allows us to send all traffic tunneled to a core switch that will handle our routing for the lan
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dynmap 65535 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dynmap 65535 set security-association lifetime seconds 28800
crypto dynamic-map outside_dynmap 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dynmap 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynmap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
This allows us to use the DefaultL2LGroup so we configure our PSK in there
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
===
On the remote peer, we set up a site to site vpn and exempt the traffic we dont want going into the tunnel