- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
The organization I work for recently bought a Cisco ASA 5510 and 3 ASA 5505s to replace some SonicWalls we have in a few group
homes. They are going to be doing a site-to-site VPN tunnel so that the group homes can access our VoIP phones and also remote
desktop into our terminal server. I have tried to test the ASAs from home; I have tried a few things but all were unsuccessful.
Any thoughts?
-- Dale L. Bradford
Since you are moving from a different brand of firewall, you will want to work through this in stages. Keep good notes as you work through things, it will serve you well as you become more familiar with getting the firewalls to work.
The first thing I would do is look at the licenses on your respective firewalls. While Cisco refers to the different license levels, I have found the terminology a little different from what you would expect: Assuming the 5510 is a 10 user license and the 5505 have a 5 user license, if you come across VPN link from the 5505 side to the 5510 and call up a complex Web site, you will eat up all the licenses on the 5510 and the VPN connection will appear to fail because of the way licensing is handled on the Cisco ASA devices. So check the licenses between the ASAs that you have: If you have the 3 ASA 550s with a 10-user license installed on each one, you will want to add that license count to the number of users at the main office for the total license for the 5510. Assuming you have 20 users at the main office, you would want to have a license installed of at least 50 users on the ASA 5510. You may find that a higher license count is necessary on the 5510; you'll need to do some testing to know for sure. You won't really see this explained in the documentation, unfortunately.
Once you've dealt with the license issue, connect the two WAN ports together between the ASA 5510 and one of the 5505s. You may need to use a crossover cable to get link between the two firewalls. You can also try putting a switch between the two ASAs - a Layer 3 switch would be ideal, or try a router with 2 Ethernet interfaces. This will let you assign different IP addresses from different subnets to the respective ASAs you are testing. Set up a site-to=site VPN connection. Make sure that you can route properly between the two ASAs and can see all of the systems on each side of the connection. This will help you get a feel for setting up a VPN connection.
Comments (3)
DisappointedBy Anonymous on January 2, 2008, 2:36 pmAfter I read the article, I was disappointed about the author. The author should never respond the question. In my opinion, he is new to understand L2L VPN, the...
Reply | Read entire comment
watchout, this article is mostly incorrectBy jheary on December 19, 2007, 12:55 pmUnfortunately, the author does not understand Cisco's user licensing. I recommend you disregard all info to that effect. User licensing has nothing to do with bringing...
Reply | Read entire comment
RE: Building a VPN with Cisco ASA gearBy Anonymous on December 18, 2007, 12:40 pmI was disappointed with this article for a couple reasons. First, Mr. Nutter should have done at least a little homework before responding, since it's pretty easy...
Reply | Read entire comment
View all comments