cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
9
Replies

using an asa 5005 with vpn tunnel as router

be04376
Level 1
Level 1

Hi,

we have a remote site with 1 asa 5005 and 1 pix 501.

the pix 501 has 2 existing vpn tunnels to networks 192.168.42.0/24 and to 192.168.48.0/24.

the asa has another tunnel (easy vpn) to 192.168.1.0/24

I added an inside route on the asa to .48 and .42 networks to the inside of the pix 501 and i allowed traffic out of the same interface to be able to use the asa as a router.

The asa is the default router of the network.

When i try to ping a host on the 42 network from a workstation i get this error

portmap translation creation failed for tcp src inside:192.168.16.38/2111 dst inside:192.168.48.209/111

I think its because the asa wants to nat this traffic, so i tried to add a rule that traffic from .16 to .42 doesn?t need natting. The asa doesn?t accept this setting ( error: policy natting not possible when easy vpn client enabled)

Can somebody help me out with this please?

9 Replies 9

The ASA it not a router. The ASA by default don't traffic to go out of the same interface it came. I'm not sure if you use the same-security-level permit intra-interface command will allow the traffic to flow, but you can give it a try. If that doesn't work get a Layer 3 switch or router to do the routing.

I issued the same-security-level permit inter-interface command, but I don?t think that?s the problem, I think it?s nat related

The command has same-security-level permit intra-interface. Anyway Cisco says it only works for VPN connections http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/vpnsysop.html#wp1042114

You are going to need a Layer 3 device(Router or L3 Switch) to route the traffic.

Robin,

You can use the asa for this. Try adding...

global (inside) 1 interface

nat (inside) 1 192.168.16.0 255.255.255.0

I tried your suggestion, but no luck

You receive the same error message?

try...

static (inside,inside) 192.168.48.209 192.168.48.209 netmask 255.255.255.255

Robin,

What you are trying is to route your inside traffic to remote subnets between different VPN endpoints, right? If that's case, you want to NAT that traffic? or you don't?

You could use only tha ASA for all the VPN instead of having the PIX and ASA. That way you don't have to worry about routing between them. The ASA can handle all the tunnels and much more that the PIX.

PIX

Performance Summary

Cleartext throughput: Up to 60 Mbps

Concurrent connections: 7,500

56-bit DES IPsec VPN throughput: Up to 6 Mbps

168-bit 3DES IPsec VPN throughput: Up to 3 Mbps

128-bit AES IPsec VPN throughput: Up to 4.5 Mbps

Simultaneous VPN peers: 10*

Cisco ASA 5505 Adaptive Security Appliance Platform Capabilities and Capacities

Feature Description

Firewall throughput Up to 150 Mbps

VPN throughput Up to 100 Mbps

Concurrent sessions 10,000/25,000*

IPsec VPN peers 10; 25*

SSL VPN peer license levels** 10 or 25

Interfaces 8-port Fast Ethernet switch with dynamic port grouping (including 2 PoE ports)

Virtual interfaces (VLANs) 3 (no trunking support) / 20 (with trunking support)*

ok,

I?ll build the tunnels from the asa instead of the old pix.

Thx for all the posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: