ASA VPN Question

Unanswered Question
May 18th, 2007

Recently installed an ASA 5509 to protect an iSeries webserver on the internal network. Ended up having to change the default gateway of the iSeries to the inside address of the ASA in order for the outside world to access the website.

Since we did that, I have a remote office that had a vpn tunnel and could access the iSeries that is now not able to. My question is, do I now need to set up a site to site vpn tunnel between the linksys router in the remote office and the ASA box in order to make this work, and if so how do I do it?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
acomiskey Fri, 05/18/2007 - 11:48

A few questions so this is more clear. I guess the ASA replaced another piece of equipment? The remote office had a vpn tunnel to this other piece of equipment? What access does the remote site need to the iSeries, I guess they need more than www?

sonitadmin Fri, 05/18/2007 - 11:51

Sorry, I should have provided more info. The ASA didn't take the place of anything, it was put in place in addtion to a Linksys VPN router. The remote office had a vpn tunnel to the linksys vpn router. THe iseries gateway was set to this router. The remote office needs access to the iseries for payroll.

acomiskey Fri, 05/18/2007 - 11:56

Do you want to create a new tunnel to the ASA or do you want to fix the routing problem so the ISeries knows how to route to the remote network through the original tunnel?

sonitadmin Fri, 05/18/2007 - 12:23

I'm assuming I will have to create a new tunnel. The iSeries is at and it used to have a gateway of (linksys router). It now has (ASA) as the gateway. Had to set it like this to get the outside world to be able to see the website on the iSeries.

Before I did this, there was a remote office network that has a linksys router that had a site to site vpn tunnel that allowed network to access the iSeries. Since I changed that default gateway, this doesn't work anymore.

So my thought is that tunnel needs to be recreated between the router and the ASA. Correct?

acomiskey Fri, 05/18/2007 - 12:26

No, all you have to do is add a route on the server that routes towards

Is this windows or linux? I'm not familiar with iSeries.

Something like...

route add MASK

Another option is to allow same-security-traffic intra-interface on the ASA. This would allow traffic to bounce off inside interface of ASA towards original tunnel. All you would have to do is add an inside route on the ASA. You do not have to create a new tunnel in this situation if you don't want to.

emad.silicon Fri, 05/18/2007 - 11:55

Yes friend you have to set a site-to-site tunnel with a linksys router bec you have change or remove the first firewall and sure you change the ip address so you need to define the new peer in both sites , or if you have just one computer or less than 3 you can configure your ASA for easy vpn server and install the cisco vpn client sofware on that computers instead of configuring site-to-site betw linksys router and asa , how to do that it is a long configuration frined and you have to now about both asa and linksys router and make sure that your linksys router can configured with the ipsec functionality


This Discussion