Hello. We are having problems in configuring multiple ASA 5505 firewalls on static IP address DSL circuits to allow for site-to-site VPN use. One central office (ASA5505 SECurity Plus model) with multiple remote sites (ASA 5505 10 user without Security Plus).
The DSL circuits that we want to connect to have a strange (and new to us) provisioning. AT&T/Bellsouth is the carrier.
Background: If at any site we use the Netopia router that AT&T provides (for the DSL is a PPPoE system), it gets a dynamic WAN IP address that changes almost every time the router is rebooted. Here is the wonderful part: even though it is dynamic IP on the WAN port the circuit's provisioning provides a .248 subnet of static routable IP addresses. Never have I seen a system like that.
For example: the Netopia router configured for PPPoE gets a dyn IP address of 72.150.127.92 reported on its WAN port. But inside the Netopia router we can see the programming for addresses of
72.140.168.130, 72.140.168.131, 72.140.168.132, 72.140.168.133. If the Netopia is properly configured (I recall to do this you turn NAT off) and computers "inside" the office have those IP addresses on them, those computers are all accessible from the Internet.OK. Now for the ASA results.
Once I set the Netopia DSL router for "bridge" mode and put the PPPoE info into the ASA the ASA does connect and give the dynamic IP address on VLAN2. So I had to ask how to use the extra "static" addresses and how do we build a static VPN?
A Cisco TAC ASA engineer assured me we can use the extra static IP's to map to inside servers. And provided an example. Although we cannot test (we are 200 miles away from the nearest site) they say we can duplicate the functionality of the Netopia that way. For the benefit of the group, here is what I received from the first TAC engineer:
--------------- Let's say the outside interface IP address is 100.1.1.1
255.255.255.250 and we have another public IP address pool that we want to use. This pool is 150.1.1.1 through 150.1.1.10:interface e0/0 ip address 100.1.1.1 255.255.255.250 nameif outside
static (inside,outside) 150.1.1.1 192.168.1.1 static (inside,outside) 150.1.1.2 192.168.1.2 static (inside,outside) 150.1.1.3 192.168.1.3 static (inside,outside) 150.1.1.4 192.168.1.4 static (inside,outside) 150.1.1.5 192.168.1.5 .. access-list outacl permit tcp any host 150.1.1.1 eq 80 access-list outacl permit tcp any host 150.1.1.2 eq 25 access-list outacl permit tcp any host 150.1.1.3 eq 443 .. access-group outacl in interface outside
-----------------------------------------------
OK I can see that would work. But how about setting up a static site to site VPN? The first Cisco TAC engineer in ASA Config couldn't help with that question. Nor could the second one (in the VPN Group). He suggested I call TAC again and get someone in "Security" instead of in "VPN".
Any help or words would be appreciated.
I will try to duplicate in our test lab with a few of these ASA's but any help would be appreciated. I have the ASA's here and can RtM but I am sad to say we don't have any local ATT/Bellsouth dynamic DSL with "static" IP to play with and the real sites are 200 miles away. So I am looking for some assurance this can be done at least. Apparently those two Cisco TAC guys had no experience with creating static site- to-site VPN's on this AT&T system so they couldn't really help me piece it together. Surely somebody here in good old Bellsouth territory must have some experience from the streets of Tennessee.
All the sites have this same wierd AT&T/Bellsouth provisioning. Where I work in KY (Windstream was Alltel), static PPPoE gives us a contiguous block of IP's. Makes VPN work a no-brainer. That is what we were expecting obviously.
AT&T has not been helpful. I talked to ATT techs Tier 2 and Tier 1 both and they tell me that if I can't make the ASA 5505 work within the system the only option they have is to convert the circuits to single-static IP . Obviously we don't want to do that since we lose the multiple IP's. Do we have to change the AT&T provisioning?
Any assurance or help of any level would be appreciated.
I wish everyone the best this holiday season.