ASA 5505 Routing question

Unanswered Question
Jan 10th, 2008
User Badges:

ASA 5505 now includes routing that the pix didn't support. My question is it possible to route via a static entry to an IP address setup across a lan to lan VPN location. ASA allows the entry but doesn't allow the traffic. ASA is using PAT.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Thu, 01/10/2008 - 12:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Mark


If this is a standard L2L setup you don't need a route on the ASA, you just need to make sure the IP address is included in your crypto map access-lst which tells the ASA which traffic to send down the tunnel.


As long as traffic destined for the IP ends up at the ASA the IPSEC configuration will do the rest.


Jon

mmccloud Thu, 01/10/2008 - 14:26
User Badges:

The translated address is 10.0.42.15 and the tunnel is setup with 10.0.42.0 255.255.255.0. But It's not working. I thought because the traffic is translated and then encapsulated through the tunnel additional settings might be required. Plases advise.

Jon Marshall Thu, 01/10/2008 - 14:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Mark


Could you post some more details ie.


source IP address, destination address, Natting that takes place on the ASA, crypto access-list etc.


You should not need to add explicit routes.


Jon



mmccloud Fri, 01/11/2008 - 05:42
User Badges:

Here is part of the config:

name 10.0.42.15 Daymas01

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.0.42.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface smtp Daymas01 smtp netmask 255.255.255.255

access-group outside_access_in in interface outside

access-group outside_access_in in interface outside

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer x.x.x.x

crypto map outside_map 1 set transform-set ESP-DES-SHA

service-policy global_policy global

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *


Goal is to map SMTP traffic from the outside interface on to the vpn tunnel to 10.0.42.15.

Thanks for reviewing!


Actions

This Discussion