dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
350
MDNelson
join:2014-12-17
Carmel, IN

MDNelson

Member

[Config] ASA 5505 Setup Question

OK would like to know if the following scenario is possible and if it can be setup remotely ?

ASA 5505 Setup in United States is on static ip has VPN tunnels setup on it so when i am out traveling i can VPN and Access Home Network. It has been setup for years and has worked flawlessly.

Now i have got a new place down in Mexico. Our internet provider cannot supply us a Static IP (at least not at a price that i am willing to pay for). So i have a Dynamic IP standard modem. what i would like to do is setup a ASA after the DSL modem. i would like it to be setup to establish a tunnel back to the US ASA. have the ASA handle the Routing on the local Mexico Network as well as establish the tunnel routing. Again i can VPN from this location with no problem but when we are down there between me and the family it is not that uncommon to have 7-10 VPN tunnels going at the same time to the same place(between all of the smartphones and computers).

Anyway the last this is this something that can be done and if so is it something that can be setup remotely as i cannot find anyone Locally in Mexico to do. I know enough about networks to be dangerous but am not cisco capable.

Thanks
Mike

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

the question is -- can you set up an asa on your dynamic network and have it create an l2l tunnel back to the states, which resides on a static address?

if so -- then yes. it is possible to do this -- however -- you'll need to ensure that the dynamic side is the initiator for the l2l tunnel -- as it will always go to a single location (rather than vice versa).

in terms of remote setup -- absolutely. it just depends on what your "remote" access is like.

q.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to MDNelson

MVM

to MDNelson
2nd tubbynet See Profile . The only kicker I see is if this "DSL modem" in Mexico is not amenable to being bridged -- ie. FA0 / VLAN2 on the ASA does
not take a / the public IP address but is given a RFC1918 address by said modem.

I've done IPSec remote access VPNs on ISRs with a dynamic IP before -- don't see the ASA having any problem with this.

Regards
MDNelson
join:2014-12-17
Carmel, IN

MDNelson to tubbynet

Member

to tubbynet
Yes the Mexico Side would always be the Initiator. From a stability standpoint would the ASA on the dynamic always auto initiate whenever there is network traffic. In other words our stability of the network in Mexico is spotty at best. if the DSL connection in Mexico drops would the ASA re connect once the DSL connection resumes?

Are there any recommended Service providers that one would engage to do such a setup?

Thanks for the quick response.

Mike
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to MDNelson

MVM

to MDNelson
said by MDNelson:

would the ASA on the dynamic always auto initiate whenever there is network traffic

Depends how you set it up... if you were using a S2S IPSec tunnel with interesting traffic ACLs setup, any matching traffic will
initiate the tunnel.
said by MDNelson:

Are there any recommended Service providers that one would engage to do such a setup?

Not sure what you mean here... can you clarify any more? Offhand, Managed Router Services are all I know about, and they'll charge you
a pretty penny upfront and monthly for a circuit, router and management / monitoring.

My 00000010bits

Regards

ua_hockey
join:2003-08-07
Columbus, OH

ua_hockey to MDNelson

Member

to MDNelson
This is a very common / easy setup, especially if at least 1 side is static. For the encryption domain, do something like set up an NTP, syslog, radius, etc... server at your US based location that the remote ASA will need to communicate with. This way the VPN always stays up (syslog can be quite a bit of traffic, so I usually use NTP). If you want to get really fancy / secure, you can switch to rsa-sig instead of PSK, which would allow your US based unit to trust only the remote device, and no others. It sounds like you already have a dynamic crypto map set up, due to the fact that you are accessing it remotely now. This would just be another endpoint. You can probably set up EZVPN on the remote requiring little to no modification on the US based unit, otherwise, you'd be looking to set up a l2l tunnel group, which will require either a static ip (which you dont have on the remote side) or rsa-sig. I can try to dig up some links on how to set up RSA-SIG if you need them. It's really easy if you have access to an internal CA, otherwise, you'll have to use a public CA. There are a few free CAs out there that you could use for this instead of having to pay for one. Hope this helps get you started.