08-16-2007 09:29 AM - edited 03-11-2019 03:58 AM
Hi,
we have a remote site with 1 asa 5005 and 1 pix 501.
the pix 501 has 2 existing vpn tunnels to networks 192.168.42.0/24 and to 192.168.48.0/24.
the asa has another tunnel (easy vpn) to 192.168.1.0/24
I added an inside route on the asa to .48 and .42 networks to the inside of the pix 501 and i allowed traffic out of the same interface to be able to use the asa as a router.
The asa is the default router of the network.
When i try to ping a host on the 42 network from a workstation i get this error
portmap translation creation failed for tcp src inside:192.168.16.38/2111 dst inside:192.168.48.209/111
I think its because the asa wants to nat this traffic, so i tried to add a rule that traffic from .16 to .42 doesn?t need natting. The asa doesn?t accept this setting ( error: policy natting not possible when easy vpn client enabled)
Can somebody help me out with this please?
08-16-2007 12:03 PM
The ASA it not a router. The ASA by default don't traffic to go out of the same interface it came. I'm not sure if you use the same-security-level permit intra-interface command will allow the traffic to flow, but you can give it a try. If that doesn't work get a Layer 3 switch or router to do the routing.
08-17-2007 12:14 AM
I issued the same-security-level permit inter-interface command, but I don?t think that?s the problem, I think it?s nat related
08-17-2007 05:20 AM
The command has same-security-level permit intra-interface. Anyway Cisco says it only works for VPN connections http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114
You are going to need a Layer 3 device(Router or L3 Switch) to route the traffic.
08-17-2007 05:29 AM
Robin,
You can use the asa for this. Try adding...
global (inside) 1 interface
nat (inside) 1 192.168.16.0 255.255.255.0
08-17-2007 05:54 AM
I tried your suggestion, but no luck
08-17-2007 06:01 AM
You receive the same error message?
try...
static (inside,inside) 192.168.48.209 192.168.48.209 netmask 255.255.255.255
08-17-2007 06:11 AM
Robin,
What you are trying is to route your inside traffic to remote subnets between different VPN endpoints, right? If that's case, you want to NAT that traffic? or you don't?
08-17-2007 06:59 AM
You could use only tha ASA for all the VPN instead of having the PIX and ASA. That way you don't have to worry about routing between them. The ASA can handle all the tunnels and much more that the PIX.
PIX
Performance Summary
Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities
Feature Description
Firewall throughput Up to 150 Mbps
VPN throughput Up to 100 Mbps
Concurrent sessions 10,000/25,000*
IPsec VPN peers 10; 25*
SSL VPN peer license levels** 10 or 25
Interfaces 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports)
Virtual interfaces (VLANs) 3 (no trunking support) / 20 (with trunking support)*
08-19-2007 11:39 PM
ok,
I?ll build the tunnels from the asa instead of the old pix.
Thx for all the posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: