ASA 5505 VPN NEM

kumlait2004 · ‎06-26-2007

Hi! First of all I appologize for posting a similar question in another forum. I think this one is the right place.

Im trying to connect to a PIX 501 with easy vpn in nem mode with a ASA 5505. Currently running 7.2.2-22 (had to download a interim release due to dhcp problems with the ISP in 7.2.2) and ASDM 5.2.

The problem is that when using nem mode i cannot ping the other side at all. When using client mode this works fine but i need the two way traffic.

Our Head unit is 192.168.1.1 and the connecting ASA 5505 is 192.168.10.1. When I try to ping a machine (192.168.1.201) from the remote site I get this in the ASA log:

With network extension mode

302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.10.2/512 laddr 192.168.10.2/512

With only client mode

302020 192.168.1.201 192.168.10.2 Built ICMP connection for faddr 192.168.1.201/0 gaddr 192.168.1.9/1 laddr 192.168.10.2/512

It seemes to me that the ASA sets an incorrect gateway address in nem mode ?

The PIX 501 has been working fine for some years with software clients connecting.

Any ideas ?

Thanks!

pradeepde · ‎07-02-2007

When configured in Easy VPN Network Extension Mode, the ASA 5505 does not hide the IP addresses of local hosts by substituting a public IP address. Therefore, hosts on the other side of the VPN connection can communicate directly with hosts on the local network.

Try this link:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

kumlait2004 · ‎07-02-2007

OK thanks. But I dont want to use Site 2 Site. NEM is what I want to use and its currently not working when configuring as the 7.2.2 manual describes.