ASA 5505 VPN making crazy. How to build single VPN on ATT dynIP/static IP pool system

Discussion in 'Cisco' started by pclposts@yahoo.com, Nov 21, 2007.

  1. Guest

    Hello. We are having problems in configuring multiple ASA 5505
    firewalls on static IP address DSL circuits to allow for site-to-site
    VPN use. One central office (ASA5505 SECurity Plus model) with
    multiple remote sites (ASA 5505 10 user without Security Plus).

    The DSL circuits that we want to connect to have a strange (and new to
    us) provisioning. AT&T/Bellsouth is the carrier.

    Background: If at any site we use the Netopia router that AT&T
    provides (for the DSL is a PPPoE system), it gets a dynamic WAN IP
    address that changes almost every time the router is rebooted. Here is
    the wonderful part: even though it is dynamic IP on the WAN port the
    circuit's provisioning provides a .248 subnet of static routable IP
    addresses. Never have I seen a system like that.

    For example: the Netopia router configured for PPPoE gets a dyn IP
    address of 72.150.127.92 reported on its WAN port. But inside the
    Netopia router we can see the programming for addresses of
    72.140.168.130, 72.140.168.131, 72.140.168.132, 72.140.168.133. If the
    Netopia is properly configured (I recall to do this you turn NAT off)
    and computers "inside" the office have those IP addresses on them,
    those computers are all accessible from the Internet.

    OK. Now for the ASA results.

    Once I set the Netopia DSL router for "bridge" mode and put the PPPoE
    info into the ASA the ASA does connect and give the dynamic IP address
    on VLAN2. So I had to ask how to use the extra "static" addresses and
    how do we build a static VPN?

    A Cisco TAC ASA engineer assured me we can use the extra static IP's
    to map to inside servers. And provided an example. Although we cannot
    test (we are 200 miles away from the nearest site) they say we can
    duplicate the functionality of the Netopia that way. For the benefit
    of the group, here is what I received from the first TAC engineer:
    ---------------
    Let's say the outside interface IP address is 100.1.1.1
    255.255.255.250 and we have another public IP address pool that we
    want to use. This pool is 150.1.1.1 through 150.1.1.10:

    interface e0/0
    ip address 100.1.1.1 255.255.255.250
    nameif outside

    static (inside,outside) 150.1.1.1 192.168.1.1
    static (inside,outside) 150.1.1.2 192.168.1.2
    static (inside,outside) 150.1.1.3 192.168.1.3
    static (inside,outside) 150.1.1.4 192.168.1.4
    static (inside,outside) 150.1.1.5 192.168.1.5
    ...
    access-list outacl permit tcp any host 150.1.1.1 eq 80
    access-list outacl permit tcp any host 150.1.1.2 eq 25
    access-list outacl permit tcp any host 150.1.1.3 eq 443
    ...
    access-group outacl in interface outside
    -----------------------------------------------

    OK I can see that would work. But how about setting up a static site
    to site VPN? The first Cisco TAC engineer in ASA Config couldn't help
    with that question. Nor could the second one (in the VPN Group). He
    suggested I call TAC again and get someone in "Security" instead of in
    "VPN".

    Any help or words would be appreciated.

    I will try to duplicate in our test lab with a few of these ASA's but
    any help would be appreciated. I have the ASA's here and can RtM but I
    am sad to say we don't have any local ATT/Bellsouth dynamic DSL with
    "static" IP to play with and the real sites are 200 miles away. So I
    am looking for some assurance this can be done at least. Apparently
    those two Cisco TAC guys had no experience with creating static site-
    to-site VPN's on this AT&T system so they couldn't really help me
    piece it together. Surely somebody here in good old Bellsouth
    territory must have some experience from the streets of Tennessee.

    All the sites have this same wierd AT&T/Bellsouth provisioning. Where
    I work in KY (Windstream was Alltel), static PPPoE gives us a
    contiguous block of IP's. Makes VPN work a no-brainer. That is what we
    were expecting obviously.

    AT&T has not been helpful. I talked to ATT techs Tier 2 and Tier 1
    both and they tell me that if I can't make the ASA 5505 work within
    the system the only option they have is to convert the circuits to
    single-static IP . Obviously we don't want to do that since we lose
    the multiple IP's. Do we have to change the AT&T provisioning?

    Any assurance or help of any level would be appreciated.

    I wish everyone the best this holiday season.
     
    , Nov 21, 2007
    #1
    1. Advertising

  2. Guest

    Correction: please strike the word "single" from the title or change
    it to "static". It was a typo. Sorry!
     
    , Nov 21, 2007
    #2
    1. Advertising

  3. CeykoVer Guest

    Re: ASA 5505 VPN making crazy. How to build single VPN on ATT dyn IP/static IP pool system

    I apologize for not reading the whole post, so I maybe missing something.
    If I were you I'd check into easyvpn configurations.

    Does not require a static IP address on the client side. Also, VPNs only
    require 1 static IP address - I usually just use the outside interface IP
    address for everything.

    One drawback to the easyvpn, you can't have standard RA vpns on an interface
    that is configured as an easyvpn client.

    <> wrote in message
    news:...
    > Hello. We are having problems in configuring multiple ASA 5505
    > firewalls on static IP address DSL circuits to allow for site-to-site
    > VPN use. One central office (ASA5505 SECurity Plus model) with
    > multiple remote sites (ASA 5505 10 user without Security Plus).
    >
    > The DSL circuits that we want to connect to have a strange (and new to
    > us) provisioning. AT&T/Bellsouth is the carrier.
    >
    > Background: If at any site we use the Netopia router that AT&T
    > provides (for the DSL is a PPPoE system), it gets a dynamic WAN IP
    > address that changes almost every time the router is rebooted. Here is
    > the wonderful part: even though it is dynamic IP on the WAN port the
    > circuit's provisioning provides a .248 subnet of static routable IP
    > addresses. Never have I seen a system like that.
    >
    > For example: the Netopia router configured for PPPoE gets a dyn IP
    > address of 72.150.127.92 reported on its WAN port. But inside the
    > Netopia router we can see the programming for addresses of
    > 72.140.168.130, 72.140.168.131, 72.140.168.132, 72.140.168.133. If the
    > Netopia is properly configured (I recall to do this you turn NAT off)
    > and computers "inside" the office have those IP addresses on them,
    > those computers are all accessible from the Internet.
    >
    > OK. Now for the ASA results.
    >
    > Once I set the Netopia DSL router for "bridge" mode and put the PPPoE
    > info into the ASA the ASA does connect and give the dynamic IP address
    > on VLAN2. So I had to ask how to use the extra "static" addresses and
    > how do we build a static VPN?
    >
    > A Cisco TAC ASA engineer assured me we can use the extra static IP's
    > to map to inside servers. And provided an example. Although we cannot
    > test (we are 200 miles away from the nearest site) they say we can
    > duplicate the functionality of the Netopia that way. For the benefit
    > of the group, here is what I received from the first TAC engineer:
    > ---------------
    > Let's say the outside interface IP address is 100.1.1.1
    > 255.255.255.250 and we have another public IP address pool that we
    > want to use. This pool is 150.1.1.1 through 150.1.1.10:
    >
    > interface e0/0
    > ip address 100.1.1.1 255.255.255.250
    > nameif outside
    >
    > static (inside,outside) 150.1.1.1 192.168.1.1
    > static (inside,outside) 150.1.1.2 192.168.1.2
    > static (inside,outside) 150.1.1.3 192.168.1.3
    > static (inside,outside) 150.1.1.4 192.168.1.4
    > static (inside,outside) 150.1.1.5 192.168.1.5
    > ..
    > access-list outacl permit tcp any host 150.1.1.1 eq 80
    > access-list outacl permit tcp any host 150.1.1.2 eq 25
    > access-list outacl permit tcp any host 150.1.1.3 eq 443
    > ..
    > access-group outacl in interface outside
    > -----------------------------------------------
    >
    > OK I can see that would work. But how about setting up a static site
    > to site VPN? The first Cisco TAC engineer in ASA Config couldn't help
    > with that question. Nor could the second one (in the VPN Group). He
    > suggested I call TAC again and get someone in "Security" instead of in
    > "VPN".
    >
    > Any help or words would be appreciated.
    >
    > I will try to duplicate in our test lab with a few of these ASA's but
    > any help would be appreciated. I have the ASA's here and can RtM but I
    > am sad to say we don't have any local ATT/Bellsouth dynamic DSL with
    > "static" IP to play with and the real sites are 200 miles away. So I
    > am looking for some assurance this can be done at least. Apparently
    > those two Cisco TAC guys had no experience with creating static site-
    > to-site VPN's on this AT&T system so they couldn't really help me
    > piece it together. Surely somebody here in good old Bellsouth
    > territory must have some experience from the streets of Tennessee.
    >
    > All the sites have this same wierd AT&T/Bellsouth provisioning. Where
    > I work in KY (Windstream was Alltel), static PPPoE gives us a
    > contiguous block of IP's. Makes VPN work a no-brainer. That is what we
    > were expecting obviously.
    >
    > AT&T has not been helpful. I talked to ATT techs Tier 2 and Tier 1
    > both and they tell me that if I can't make the ASA 5505 work within
    > the system the only option they have is to convert the circuits to
    > single-static IP . Obviously we don't want to do that since we lose
    > the multiple IP's. Do we have to change the AT&T provisioning?
    >
    > Any assurance or help of any level would be appreciated.
    >
    > I wish everyone the best this holiday season.
     
    CeykoVer, Dec 10, 2007
    #3
  4. ToJo

    Joined:
    Dec 11, 2007
    Messages:
    1
    I must confess that I am not familiar with the ASA 5505. I work with an ASA 5510 (but am fairly new to it), so maybe some of that can carry over. It sounds like your main question is about routing, though, so I have a few questions for you:

    Is the Netopia router NATed, firewalled, or any other configuration besides a basic router? If so, can it be set to simply route between the Netopia's WAN network and the network of the static IPs you mentioned? Is there a specific reason you need to put the router into bridge mode?

    I ask because, if you can set the Netopia to only route, the routing and firewalling/VPN functions could be separated, which could help with troubleshooting. Then you could assign the ASA's outside interface the 72.140.168.130 address and use the other addresses in "static (inside,outside)" statements. You would use the 72.140.168.130 outside address for your VPN.

    I agree with CeykoVer about looking into the EasyVPN. Cisco has a "tunnel-group <name> type ipsec-l2l" command, but I don't know if you can have multiple LAN-to-LAN vpns in a hub-spoke setup. My experience is with remote access vpns.

    Hope this helps some. :)
     
    Last edited: Dec 11, 2007
    ToJo, Dec 11, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tilopa88

    asa 5505 static pat problem

    tilopa88, Apr 25, 2007, in forum: Cisco
    Replies:
    0
    Views:
    543
    tilopa88
    Apr 25, 2007
  2. tilopa88

    asa 5505 static pat problem

    tilopa88, Apr 25, 2007, in forum: Cisco
    Replies:
    2
    Views:
    557
    tilopa88
    Apr 26, 2007
  3. Replies:
    1
    Views:
    3,371
  4. eostrike
    Replies:
    3
    Views:
    2,076
    eostrike
    Oct 24, 2008
  5. Dogg Child

    Re: ASA 5505 behind ASA 5505

    Dogg Child, Jun 7, 2010, in forum: Cisco
    Replies:
    0
    Views:
    674
    Dogg Child
    Jun 7, 2010
Loading...

Share This Page