ASA 5505 to ASA5505 L2L but with a twist?

drkatdrkat Banned Posts: 703
I have a head end site that is using a static IP tied to a 5505 running 8.2 - and inside on the 192.168.100.0/24 network. I also have remote offices that are using broadband connections (dynamic ip) with 5505's at each location running 8.2 and are subsequently on 192.168.1.0/24

I need to have site to site connectivity for each of the remote locations

now what I was figuring was to assign l2l tunnels and nat'ing the 192.168.1.0 to a 192.168.100.0 address so I dont need to change the IP's of the inside nets at the remote ends.
Example:
192.168.100.100 Site A
192.168.100.101 Site B

but they retain their internal schemes
I was debating on ezvpn or l2l tunnel-groups however.... the kicker is this I need to tunnel everything except.... one network which is used to pass SIP traffic (this would be an external address not internal)

I know I can use excluded lists on the ezvpn but that doesnt work for hardware clients - I could prolly build the l2l and then not permit the one network into the tunnel but I'm trying to find the best design option here.

Any assistance would be appreciated.

Comments

  • drkatdrkat Banned Posts: 703
    This has been resolved
  • QHaloQHalo Member Posts: 1,488
    Care to share how you resolved it in case someone else asks? Plus its good for learning. :)
  • drkatdrkat Banned Posts: 703
    Sure!

    So we ditch EZVPN all together - It does not allow excluded network lists to be used on the ASA as hardware client, IOS yes but no ASA.

    So we built a dynamic vpn on the one side and a static l2l on the other side, and just exempted the traffic that needed exempt

    example: Head End ASA

    route inside 0.0.0.0 0.0.0.0 <gateway> tunneled <== this allows us to send all traffic tunneled to a core switch that will handle our routing for the lan

    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dynmap 65535 set transform-set ESP-AES-128-SHA
    crypto dynamic-map outside_dynmap 65535 set security-association lifetime seconds 28800
    crypto dynamic-map outside_dynmap 65535 set security-association lifetime kilobytes 4608000
    crypto dynamic-map outside_dynmap 65535 set reverse-route
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dynmap
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

    This allows us to use the DefaultL2LGroup so we configure our PSK in there

    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *****

    ===

    On the remote peer, we set up a site to site vpn and exempt the traffic we dont want going into the tunnel
Sign In or Register to comment.