using an asa 5005 with vpn tunnel as router

Unanswered Question
Aug 16th, 2007
User Badges:


we have a remote site with 1 asa 5005 and 1 pix 501.

the pix 501 has 2 existing vpn tunnels to networks and to

the asa has another tunnel (easy vpn) to

I added an inside route on the asa to .48 and .42 networks to the inside of the pix 501 and i allowed traffic out of the same interface to be able to use the asa as a router.

The asa is the default router of the network.

When i try to ping a host on the 42 network from a workstation i get this error

portmap translation creation failed for tcp src inside: dst inside:

I think its because the asa wants to nat this traffic, so i tried to add a rule that traffic from .16 to .42 doesn?t need natting. The asa doesn?t accept this setting ( error: policy natting not possible when easy vpn client enabled)

Can somebody help me out with this please?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rigoberto.cintr... Thu, 08/16/2007 - 12:03
User Badges:

The ASA it not a router. The ASA by default don't traffic to go out of the same interface it came. I'm not sure if you use the same-security-level permit intra-interface command will allow the traffic to flow, but you can give it a try. If that doesn't work get a Layer 3 switch or router to do the routing.

be04376 Fri, 08/17/2007 - 00:14
User Badges:

I issued the same-security-level permit inter-interface command, but I don?t think that?s the problem, I think it?s nat related

acomiskey Fri, 08/17/2007 - 05:29
User Badges:
  • Green, 3000 points or more


You can use the asa for this. Try adding...

global (inside) 1 interface

nat (inside) 1

acomiskey Fri, 08/17/2007 - 06:01
User Badges:
  • Green, 3000 points or more

You receive the same error message?


static (inside,inside) netmask

rigoberto.cintr... Fri, 08/17/2007 - 06:11
User Badges:


What you are trying is to route your inside traffic to remote subnets between different VPN endpoints, right? If that's case, you want to NAT that traffic? or you don't?

rigoberto.cintr... Fri, 08/17/2007 - 06:59
User Badges:

You could use only tha ASA for all the VPN instead of having the PIX and ASA. That way you don't have to worry about routing between them. The ASA can handle all the tunnels and much more that the PIX.


Performance Summary

Cleartext throughput: Up to 60 Mbps

Concurrent connections: 7,500

56-bit DES IPsec VPN throughput: Up to 6 Mbps

168-bit 3DES IPsec VPN throughput: Up to 3 Mbps

128-bit AES IPsec VPN throughput: Up to 4.5 Mbps

Simultaneous VPN peers: 10*

Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities

Feature Description

Firewall throughput Up to 150 Mbps

VPN throughput Up to 100 Mbps

Concurrent sessions 10,000/25,000*

IPsec VPN peers 10; 25*

SSL VPN peer license levels** 10 or 25

Interfaces 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports)

Virtual interfaces (VLANs) 3 (no trunking support) / 20 (with trunking support)*

be04376 Sun, 08/19/2007 - 23:39
User Badges:


I?ll build the tunnels from the asa instead of the old pix.

Thx for all the posts


This Discussion