I'd like to setup a site-to-site IPSec VPN tunnel between a head office and a branch office, and for political/security reasons, with the sole purpose of being able to access a "Management" subnet at the branch office, not their main LAN.
None of the NICs on this "management" VLAN/subnet have a default gateway: these devices that need to be managed are multi-homed and "straddle" both networks, and because they require Internet access out through the LAN VLAN/subnet, the NIC that's on the LAN VLAN/subnet has a default gateway set as 10.0.0.1; the MGMT NICs do not have a default gateway.
Because there's no default gateway on those NICs, I'm assuming I'll have to setup a bridged VPN vs. a routed VPN, so that my HQ LAN machines will have a VPN IP on the MGMT network (say 10.1.1.254/24). I'm assuming these devices don't support static routes (some of them are appliances with limited network configuration).
I'm pretty sure this is how your typical Microsoft RRAS PPTP setup works when you dial in through an XP workstation's VPN client, but can this work for multiple machines on the HQ? I'm assuming each HQ machine would be SNATing behind that VPN IP of 10.1.1.254? Does Cisco ASA 5505 support this? I don't want to allow any traffic back through the tunnel to the HQ LAN either.
EDIT I'll likely setup a small broadcast domain in an isolated MGMT VLAN on the HQ side to minimize all that ARP/broadcast traffic going over the tunnel.
[HQ]
LAN: 192.168.0.0/24
GW (Cisco ASA 5505): 192.168.0.1
[Branch]
"LAN" VLAN/subnet: 10.0.0.0/24 GW (fe0 10.0.0.1/24)
"MGMT" VLAN/subnet: 10.1.1.0/24 (fe1 10.1.1.0/24)
0 Answers