ASA 5505 VPN making crazy. How to build single VPN on ATT dynIP/static IP pool system

Discussion in 'Cisco' started by pclposts, Nov 21, 2007.

  1. pclposts

    pclposts Guest

    Hello. We are having problems in configuring multiple ASA 5505
    firewalls on static IP address DSL circuits to allow for site-to-site
    VPN use. One central office (ASA5505 SECurity Plus model) with
    multiple remote sites (ASA 5505 10 user without Security Plus).

    The DSL circuits that we want to connect to have a strange (and new to
    us) provisioning. AT&T/Bellsouth is the carrier.

    Background: If at any site we use the Netopia router that AT&T
    provides (for the DSL is a PPPoE system), it gets a dynamic WAN IP
    address that changes almost every time the router is rebooted. Here is
    the wonderful part: even though it is dynamic IP on the WAN port the
    circuit's provisioning provides a .248 subnet of static routable IP
    addresses. Never have I seen a system like that.

    For example: the Netopia router configured for PPPoE gets a dyn IP
    address of reported on its WAN port. But inside the
    Netopia router we can see the programming for addresses of,,, If the
    Netopia is properly configured (I recall to do this you turn NAT off)
    and computers "inside" the office have those IP addresses on them,
    those computers are all accessible from the Internet.

    OK. Now for the ASA results.

    Once I set the Netopia DSL router for "bridge" mode and put the PPPoE
    info into the ASA the ASA does connect and give the dynamic IP address
    on VLAN2. So I had to ask how to use the extra "static" addresses and
    how do we build a static VPN?

    A Cisco TAC ASA engineer assured me we can use the extra static IP's
    to map to inside servers. And provided an example. Although we cannot
    test (we are 200 miles away from the nearest site) they say we can
    duplicate the functionality of the Netopia that way. For the benefit
    of the group, here is what I received from the first TAC engineer:
    Let's say the outside interface IP address is and we have another public IP address pool that we
    want to use. This pool is through

    interface e0/0
    ip address
    nameif outside

    static (inside,outside)
    static (inside,outside)
    static (inside,outside)
    static (inside,outside)
    static (inside,outside)
    access-list outacl permit tcp any host eq 80
    access-list outacl permit tcp any host eq 25
    access-list outacl permit tcp any host eq 443
    access-group outacl in interface outside

    OK I can see that would work. But how about setting up a static site
    to site VPN? The first Cisco TAC engineer in ASA Config couldn't help
    with that question. Nor could the second one (in the VPN Group). He
    suggested I call TAC again and get someone in "Security" instead of in

    Any help or words would be appreciated.

    I will try to duplicate in our test lab with a few of these ASA's but
    any help would be appreciated. I have the ASA's here and can RtM but I
    am sad to say we don't have any local ATT/Bellsouth dynamic DSL with
    "static" IP to play with and the real sites are 200 miles away. So I
    am looking for some assurance this can be done at least. Apparently
    those two Cisco TAC guys had no experience with creating static site-
    to-site VPN's on this AT&T system so they couldn't really help me
    piece it together. Surely somebody here in good old Bellsouth
    territory must have some experience from the streets of Tennessee.

    All the sites have this same wierd AT&T/Bellsouth provisioning. Where
    I work in KY (Windstream was Alltel), static PPPoE gives us a
    contiguous block of IP's. Makes VPN work a no-brainer. That is what we
    were expecting obviously.

    AT&T has not been helpful. I talked to ATT techs Tier 2 and Tier 1
    both and they tell me that if I can't make the ASA 5505 work within
    the system the only option they have is to convert the circuits to
    single-static IP . Obviously we don't want to do that since we lose
    the multiple IP's. Do we have to change the AT&T provisioning?

    Any assurance or help of any level would be appreciated.

    I wish everyone the best this holiday season.
    pclposts, Nov 21, 2007
    1. Advertisements

  2. pclposts

    pclposts Guest

    Correction: please strike the word "single" from the title or change
    it to "static". It was a typo. Sorry!
    pclposts, Nov 21, 2007
    1. Advertisements

  3. pclposts

    CeykoVer Guest

    I apologize for not reading the whole post, so I maybe missing something.
    If I were you I'd check into easyvpn configurations.

    Does not require a static IP address on the client side. Also, VPNs only
    require 1 static IP address - I usually just use the outside interface IP
    address for everything.

    One drawback to the easyvpn, you can't have standard RA vpns on an interface
    that is configured as an easyvpn client.
    CeykoVer, Dec 10, 2007
  4. pclposts


    Dec 11, 2007
    Likes Received:
    I must confess that I am not familiar with the ASA 5505. I work with an ASA 5510 (but am fairly new to it), so maybe some of that can carry over. It sounds like your main question is about routing, though, so I have a few questions for you:

    Is the Netopia router NATed, firewalled, or any other configuration besides a basic router? If so, can it be set to simply route between the Netopia's WAN network and the network of the static IPs you mentioned? Is there a specific reason you need to put the router into bridge mode?

    I ask because, if you can set the Netopia to only route, the routing and firewalling/VPN functions could be separated, which could help with troubleshooting. Then you could assign the ASA's outside interface the address and use the other addresses in "static (inside,outside)" statements. You would use the outside address for your VPN.

    I agree with CeykoVer about looking into the EasyVPN. Cisco has a "tunnel-group <name> type ipsec-l2l" command, but I don't know if you can have multiple LAN-to-LAN vpns in a hub-spoke setup. My experience is with remote access vpns.

    Hope this helps some. :)
    Last edited: Dec 11, 2007
    ToJo, Dec 11, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.