Community ForumCommunity Wiki * Blog Home  * Log in

Posts Tagged ‘ASA’

Hair-pinning Traffic on a Cisco ASA

posted in Cisco Networking, Technical
by on October 14th, 2010 tags: , , ,

I have recently been working on a project to re-route VPN Client and Site-to-Site VPN internet traffic back out the same ASA5520 (hub) interface (outside) where those VPNs terminate. Routing traffic back out the same interface that it arrived on is called hair-pinning (thanks to Infinite on the forum for pointing this out when I first started looking into this) and requires some additional configuration on the ASAs. It took me a while to get this working so I thought I would write a short blog post explaining the configuration.

I’m working with the following kit 1 x ASA5520 (VPN hub), 1 x ASA5505 (VPN spoke) and 1 x Cisco VPN Client.

Read the rest of this post »



IPSEC Over a 3G WAN to ASA5510

posted in Cisco Networking, Technical
by on July 6th, 2010 tags: , , , , ,

I have recently been working on a network solution for a Mobile (transit) van that will run 4 IPSEC tunnels over 3G back to our core network. I thought I would document the process I followed, it could come in useful for you guys.

I used a Cisco Easy VPN solution as the peer points on the 3G routers are dynamic private IPs that are nat’d in the cloud. Cisco Easy VPN allows an Easy VPN Client to dial into the Cisco Easy VPN Server (the ASA in my case) as opposed to both sides initiating and building the IPSEC tunnel, only the VPN Client will initiate IPSEC process.

In the design I am using 4 x Cisco 881 3G routers and 1 Cisco ASA 5510. This document only goes through configuring one of the Cisco 881’s plus the ASA. If you want to add this script to another router then it’s just a case of

- Applying a new LAN IP subnet (see stage 2 part C)
- Create a unique local account for phase 2 authentication (see stage 2 part E)
- Add the new LAN IP subnet to the no-nat ACL if this applies
- Add a static route on the ASA for the new remote network (see stage 2 part G)

IPSEC Over a 3G WAN

Read the rest of this post »